![](https://seccdn.libravatar.org/avatar/cc316e26cc503584fec48b44a759ed4e.jpg?s=120&d=mm&r=g)
oh, and to get telnet to only listen on the internal device, well thats another story. you can edit your /etc/hosts.allow file to include in.telnetd: yyy.yyy.yyy. : ALLOW where yyy.yyy.yyy. is the internal network then in /etc/hosts.deny put ALL: ALL but that doesnt stop telnet from listening, only keeps people from connecting. (you need the tcpd rpm installed for this by the way) another method would be to restrict both sendmail and telnet via ipchains or iptables. this could be done like (assume your internal network is yyy.yyy.yyy.0/24 and your machine ip is yyy.yyy.yyy.1-internal and xxx.xxx.xxx.1-external) ipchains -A input -s yyy.yyy.yyy.0/24 -d yyy.yyy.yyy.1 -p tcp --dport 23 -j ACCEPT ipchains -A input -s 0/0 -d xxx.xxx.xxx.1 -p tcp --dport 23 -j DENY (the first rule allows connections from your local lan to your telnet server running on port 23 while the second one blocks all other ips that attempt to connect to port 23 on your machine. and for sendmail ipchains -A input -s ! yyy.yyy.yyy.0/24 -p tcp --dport 25 -j ACCEPT (This will accept connections to port 25 from every ip but the ones in your local lan network) On Fri, 19 Oct 2001, Peter Nixon wrote:
On Fri, 19 Oct 2001 16:35:08 +0200 Christian Weickhmann <christian.weickhmann@web.de> wrote:
Fiorenza Meini wrote:
Hi there, I installed Linux 7.2 on a machine where I want to have running only sendmail and telnet (I configured inetd). I have a network card with a public IP address, but for security reason I'd like to configure another network card with a local address on which I want telnetd listen to. So, what I'd like to to is this: - sendmail listening on the network card with public IP address - telnet listening on the network card with local IP addess.
Is this possible? Any suggestion on how can I configure the system?
Thanks
Fiorenza
Hello Fiorenza!
It's not a *real* solution: Have you set up a firewall? You could set one up with telnet port closed to external network. It would be a bit at least. Do you really need telnet? Try to use ssh.
I'm sorry, but I have to disagree with you on this. It all depends on how Fiorenza has his network configured. You can't tell him it's not a "real" solution when you don't know the details of his network. It is infact a _very_ good idea to only bind services to the interfaces you need them to be used on. I agree that he should use ssh instead of telnet, but this doesn't change the fact that he asked a very valid question about how to configure a machine to only bind certain services to certain interfaces. For all you know, his machine could _be_ the firewall....
Fiorenza: I'm sorry, I realised that I only answered your question in part last post. I am actually not sure how to force sendmail to bind to only one interface, (you have to do it inside sendmail as you rarely run sendmail from x/inetd) however if you want to take a look at postfic, you will find that it's very simply a matter of editing main.cf and telling it which interface to bind to. Maybe some sendmail jukies tell you the solution for sendmail, although I susspect that if you have sendmail listening to the _live_ interface, there will be no problem with it listening internally also..
HTH
-- Viel Spa�
Nix - nix@susesecurity.com http://www.susesecurity.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com