How do I filter specific hosts and/or networks?
How do I tell SuSEfirewall2 not to talk to certain specific hosts and or networks? I know how to tell it that it can talk, but how do I create a negative exceptions? Do I have to write IPtables code? Thank You. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
Hmm, silly question: Can't this be done by using the hosts.deny-file ? AFAIK the server doesn't allow any connections at all for hosts being listed in there... just my 2 cents Stephan -----Ursprungliche Nachricht----- Von: Paul Elliott [mailto:pelliott@io.com] Gesendet: Mittwoch, 13. Februar 2002 21:29 An: suse-sec Betreff: [suse-security] How do I filter specific hosts and/or networks? How do I tell SuSEfirewall2 not to talk to certain specific hosts and or networks? I know how to tell it that it can talk, but how do I create a negative exceptions? Do I have to write IPtables code? Thank You. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 13 February 2002 15:49, OKDesign oHG Security Administrator wrote: : : -----Ursprungliche Nachricht----- : Von: Paul Elliott [mailto:pelliott@io.com] : Gesendet: Mittwoch, 13. Februar 2002 21:29 : An: suse-sec : Betreff: [suse-security] How do I filter specific hosts and/or networks? : : : : How do I tell SuSEfirewall2 not to talk to certain specific hosts and : or networks? I know how to tell it that it can talk, but how do I : create a negative exceptions? Do I have to write IPtables code? : : Thank You. - - : Hmm, silly question: Can't this be done by using the hosts.deny-file ? : AFAIK the server doesn't allow any connections at all for hosts being : listed in there... : : just my 2 cents : : Stephan - - Another silly question then - how do I use hosts.deny with xinetd instead of inetd. I'm using xinetd, which works great, but the system seems to ignore the hosts. files... ? George -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8atDxo2oOGEnz8fYRAlJvAJwIp2W6ePpM2nVf9VZ5sWlegs0MiQCfYZpI SOSsDKDwX9Sx1rW/swbpDsw= =ii/s -----END PGP SIGNATURE-----
Good point. But as I'm absolutely unfamiliar with xinetd, I have absolutely no idea. :-) Sorry. By the way: What is the advantage of using xinetd instead of inetd ? Is it more secure or just easier to configure ? Stephan -----Ursprüngliche Nachricht----- Von: fluffy bananachunks [mailto:suse.announce@bananachunks.org] Gesendet: Mittwoch, 13. Februar 2002 21:48 An: OKDesign oHG Security Administrator Cc: SuSE-Security-List Betreff: Re: AW: [suse-security] How do I filter specific hosts and/or networks? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 13 February 2002 15:49, OKDesign oHG Security Administrator wrote: : : -----Ursprungliche Nachricht----- : Von: Paul Elliott [mailto:pelliott@io.com] : Gesendet: Mittwoch, 13. Februar 2002 21:29 : An: suse-sec : Betreff: [suse-security] How do I filter specific hosts and/or networks? : : : : How do I tell SuSEfirewall2 not to talk to certain specific hosts and : or networks? I know how to tell it that it can talk, but how do I : create a negative exceptions? Do I have to write IPtables code? : : Thank You. - - : Hmm, silly question: Can't this be done by using the hosts.deny-file ? : AFAIK the server doesn't allow any connections at all for hosts being : listed in there... : : just my 2 cents : : Stephan - - Another silly question then - how do I use hosts.deny with xinetd instead of inetd. I'm using xinetd, which works great, but the system seems to ignore the hosts. files... ? George -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8atDxo2oOGEnz8fYRAlJvAJwIp2W6ePpM2nVf9VZ5sWlegs0MiQCfYZpI SOSsDKDwX9Sx1rW/swbpDsw= =ii/s -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
hmm yet another silly question: is there a reason you don't use iptables /
ipchains to block certain hosts? won't the hosts.deny file just work with
the apps that support it?
----- Original Message -----
From: "OKDesign oHG Security Administrator"
: Hmm, silly question: Can't this be done by using the hosts.deny-file ? : AFAIK the server doesn't allow any connections at all for hosts being : listed in there... : : just my 2 cents : : Stephan
Another silly question then - how do I use hosts.deny with xinetd instead of inetd. I'm using xinetd, which works great, but the system seems to ignore the hosts. files...
AFAIK the bins have to be compiled with libwrap support. Suse does that by default, but if your rpm comes from other source, they could ignore the host-files. ldd xinetd - shows you the libs that are bound. Correct my if i'am wrong. Michael Appeldorn
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 14 February 2002 03:36, Michael Appeldorn wrote: : >Another silly question then - how do I use hosts.deny with xinetd instead : > of inetd. I'm using xinetd, which works great, but the system seems to : > ignore the hosts. files... : : AFAIK the bins have to be compiled with libwrap support. Suse does that : by default, but if your rpm comes from other source, they could ignore : the host-files. : : ldd xinetd - shows you the libs that are bound. : : Correct my if i'am wrong. : : Michael Appeldorn none of these are looking like libwrap to me (but I don't know what I'm looking for ;P ): $ ldd /usr/sbin/xinetd libnsl.so.1 => /lib/libnsl.so.1 (0x40029000) libm.so.6 => /lib/libm.so.6 (0x4003f000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40061000) libc.so.6 => /lib/libc.so.6 (0x4008e000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) me@user-119a2lr:~ $ rpm -q xinetd xinetd-2.3.3-15 I don't usually compile my own unless yast can't find it for me, and I'm pretty sure that this was a yast installed version... guess I should try and compile myself... Another good point tho was the questioning about services that aren't being started by xinetd. By default, xinetd on SuSE isn't starting apache - so maybe I shall look this possibility up as well... Geo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8a6S0o2oOGEnz8fYRAqwrAKDHQlX/fpbAGsHDHBHxN3Ba7fz2uACeJd83 MJlLghyY+vDG3AyRm0nreSU= =7Cq7 -----END PGP SIGNATURE-----
To really filter the packet you have define rulez. e.g. in /etc/rc.config.d/firewall2-custom.rc.config to block a host/a network its seems to be enough to write iptables -I INPUT -j DROP -s IP.OF.THE.HOST or iptables -I INPUT -j DROP -s NET.OF.THE.HOST/THE.SUB.NET.MASK in pratic iptables -I INPUT -j DROP -s 192.168.1.0/255.255.255.0 blocks the whole traffic from private subnet Michael Appeldorn
participants (5)
-
fluffy bananachunks
-
Michael Appeldorn
-
Michael Stern
-
OKDesign oHG Security Administrator
-
Paul Elliott