A long time ago, in a galaxy far, far way, someone said...
> So far I have the following setup:
>
> hosts.deny:
>
> ALL:ALL
>
> hosts.allow:
>
> ALL: my_work.domain
>
> My intention is to prevent everyone from the 'outside' from reaching
> my box. I do realize that anyone in my_work.domain would also be able
> to get at it.
>
> It is my understanding that this will prevent anyone not in
> my_work.domain from getting to my box with telnet, ftp, etc. Is this
> correct?
Mostly.
> Is this secure?
It can be - just don't rely on it alone. Not everything uses
hosts.allow/hosts.deny to perform host-level access control.
> If this is indeed correct could someone tell me why I would need/want
> a firewall and/or what benefit it would provide me over what I already
> have setup? More specifically how does a firewall differ from using
> the hosts.allow/hosts.deny files as I described above.
As I mentioned above, not everything uses hosts.allow/hosts.deny to
perform access control. Specific example: You need to run NFS, but you
need to only allow certain IP numbers to access the service. Slight
problem: NFS doesn't use hosts.allow/hosts.deny. ACLs in /etc/exports (or
the equivalent) may not protect you fully, either (see below).
There's also the fact that firewalls operate at a lower level than
hosts.allow/hosts.deny. It's been shown time and time again that invalid
IP packets coming off the network can cause your computer to crash (ever
hear about the bonk, land, and teardrop attacks against Windows systems?).
Packet-filtering systems ("firewall" is too broad a term for what I'm
talking about) can also protect you against against stuff like portscans,
IP number spoofing, and much more.
The use of hosts.allow and hosts.deny can't protect you against any of
that; a packet-filtering firewall will stop the connection before it even
gets that far.
--
----------------------------------------------------------------------
Phil Brutsche [EMAIL PROTECTED]
"There are two things that are infinite; Human stupidity and the
universe. And I'm not sure about the universe." - Albert Einstien
