[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wish list

To: securedistros@nl.linux.org
Subject: Re: wish list
From: "Anthony D. Urso" <anthonyu@killa.net>
Date: 8 Jun 1999 06:13:01 -0700
Date: Tue, 8 Jun 1999 06:13:01 -0700
In-Reply-To: <Pine.LNX.3.96.990607003501.4964A-100000@casal.upc.es>; from Pere Camps on Mon, Jun 07, 1999 at 12:39:58AM +0200
References: <Pine.LNX.4.05.9906061534270.10314-100000@Nathan.ADHosting.Com> <Pine.LNX.3.96.990607003501.4964A-100000@casal.upc.es>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@humbolt.nl.linux.org

On Mon, Jun 07, 1999 at 12:39:58AM +0200, Pere Camps wrote:
> 	I think that even only if you have one service open, then it's
> pretty useless to have a single-firewalled host.
> 
> 	It's much more esasir to simply comment out a service in inetd and
> add the proper line in /etc/hosts.allow.
> 

Essentially, hosts.deny only protects if the daemon is forked from inetd
with tcpd, or the daemon is compiled with the tcp wrapper libraries.
Either way will lay in a performance hit with each connection.

xinetd and/or proper ipchains filtering are more suitable solutions,
respectively, for most systems.

Also, ipchains rules are not in themselves a firewall, they just
instruct the kernel to deny or drop packets.  No proxying is done.

-- 
 Au

PGP Key ID: 0x385B44CB
Fingerprint: 9E9E B116 DB2C D734 C090  E72F 43A0 95C4 385B 44CB
       lottery(n): A tax on people who are bad at math.
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

References:
- Re: wish list
  - From: Nathan Staab <nathan@Nathan.ADHosting.Com>
- Re: wish list
  - From: Pere Camps <pere@casal.upc.es>
- Re: wish list
  - From: Pere Camps <pere@casal.upc.es>

Prev by Date: Re: Encrypted SMTP (was Re: wish list)
Next by Date: Re: Encrypted SMTP (was Re: wish list)
Prev by thread: Re: wish list
Next by thread: Re: wish list
Index(es):
- Date
- Thread