![](https://seccdn.libravatar.org/avatar/26540609c8eb27447cef9499c822f825.jpg?s=120&d=mm&r=g)
Hi, I try to black al the incoming conecctions to pop3 in hosts.deny. Only it dont works... When i try it whit ssh there is no problem. I would like to block whit hosts.deny all the pop3 and i will add a few hosts in hosts.allow who are allowed for pop3. Is it also poselebel to do this whit iptables ? Can i see if your host ends whit *.ISP.nl you have access tot the pop server ? Greets Wouter
![](https://seccdn.libravatar.org/avatar/c49a1b37769784e302f9b6c2f15fb979.jpg?s=120&d=mm&r=g)
Wouter wrote:
I would like to block whit hosts.deny all the pop3 and i will add a few hosts in hosts.allow who are allowed for pop3.
Perhaps you should have sent your hosts.deny entries along with your question. And remember that the first argument in this file is the program name, not the portname.
Is it also poselebel to do this whit iptables ? Can i see if your host ends whit *.ISP.nl you have access tot the pop server ?
No, domain named wildcarding isn't possible with iptables. (You'd have to determine each and every IP which should be allowed. Typically it's your local network and you can define a CIDR network for these hosts.) Peter
![](https://seccdn.libravatar.org/avatar/0a5afb25c2db5586115c849bdb0e8aea.jpg?s=120&d=mm&r=g)
Perhaps you should have sent your hosts.deny entries along with your question. And remember that the first argument in this file is the program name, not the portname.
Please also send the part of your /etc/inetd.conf, where there is the line with pop3 ... Martin ----------------------------------------------------------------- Dipl.-Ing. Martin Schichl SC&C Software, Communication & Consulting GmbH & Co KEG Grottenhofstr. 3, A-8053 Graz Tel. +43/(0)316/265-205, Fax +43/(0)316/265-234 mschichl@scc.co.at, http://scc.co.at
![](https://seccdn.libravatar.org/avatar/a3920b39aac5d5c0159ebafab456f824.jpg?s=120&d=mm&r=g)
Are you sure your POP server was compiled with libwrap support? If not, you can't block with hosts.deny. If I understand correctly, you want to block all connections from outside the Netherlands? You can do that with iptables: From the iptables manpages: Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea) Please also note the BAD idea part: it's possible but not advisable. Same goes for doing it with libwrap: any incoming connection would have to be resolved first. That could take seconds if the DNS connection is slow: hello gridlock. Or what about addresses that don't resolve back? If you want to block access to your pop server, I suggest you do it with ip-numbers, and preferably include-style, that is block all and only allow those that you want to. HTH Stefan On Monday 27 January 2003 16:55, Wouter wrote:
Hi,
I try to black al the incoming conecctions to pop3 in hosts.deny. Only it dont works... When i try it whit ssh there is no problem.
I would like to block whit hosts.deny all the pop3 and i will add a few hosts in hosts.allow who are allowed for pop3.
Is it also poselebel to do this whit iptables ? Can i see if your host ends whit *.ISP.nl you have access tot the pop server ?
Greets Wouter
![](https://seccdn.libravatar.org/avatar/c49a1b37769784e302f9b6c2f15fb979.jpg?s=120&d=mm&r=g)
Stefan Suurmeijer wrote:
Are you sure your POP server was compiled with libwrap support? If not, you can't block with hosts.deny.
Yes, you can. hosts.allow comes from the tcpwrappers package, which also includes "tcpd". Most often this is used in /etc/inetd.conf: finger stream tcp nowait nobody /some/where/tcpd in.fingerd Would protect the "finger" service even if "in.fingerd" has no support for tcp-wrappers. The same goes for pop-servers which are spawned off inetd. Peter
participants (4)
-
Martin Schichl
-
Peter Wiersig
-
Stefan Suurmeijer
-
Wouter