-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 13 February 2002 15:49, OKDesign oHG Security Administrator wrote: : : -----Ursprungliche Nachricht----- : Von: Paul Elliott [mailto:pelliott@io.com] : Gesendet: Mittwoch, 13. Februar 2002 21:29 : An: suse-sec : Betreff: [suse-security] How do I filter specific hosts and/or networks? : : : : How do I tell SuSEfirewall2 not to talk to certain specific hosts and : or networks? I know how to tell it that it can talk, but how do I : create a negative exceptions? Do I have to write IPtables code? : : Thank You. - - : Hmm, silly question: Can't this be done by using the hosts.deny-file ? : AFAIK the server doesn't allow any connections at all for hosts being : listed in there... : : just my 2 cents : : Stephan - - Another silly question then - how do I use hosts.deny with xinetd instead of inetd. I'm using xinetd, which works great, but the system seems to ignore the hosts. files... ? George -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8atDxo2oOGEnz8fYRAlJvAJwIp2W6ePpM2nVf9VZ5sWlegs0MiQCfYZpI SOSsDKDwX9Sx1rW/swbpDsw= =ii/s -----END PGP SIGNATURE-----

hmm yet another silly question: is there a reason you don't use iptables / ipchains to block certain hosts? won't the hosts.deny file just work with the apps that support it? ----- Original Message ----- From: "OKDesign oHG Security Administrator" To: "fluffy bananachunks" Cc: "SuSE-Security-List" Sent: Wednesday, February 13, 2002 10:33 PM Subject: AW: AW: [suse-security] How do I filter specific hosts and/or networks?

: Hmm, silly question: Can't this be done by using the hosts.deny-file ? : AFAIK the server doesn't allow any connections at all for hosts being : listed in there... : : just my 2 cents : : Stephan

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 14 February 2002 03:36, Michael Appeldorn wrote: : >Another silly question then - how do I use hosts.deny with xinetd instead : > of inetd. I'm using xinetd, which works great, but the system seems to : > ignore the hosts. files... : : AFAIK the bins have to be compiled with libwrap support. Suse does that : by default, but if your rpm comes from other source, they could ignore : the host-files. : : ldd xinetd - shows you the libs that are bound. : : Correct my if i'am wrong. : : Michael Appeldorn none of these are looking like libwrap to me (but I don't know what I'm looking for ;P ): $ ldd /usr/sbin/xinetd libnsl.so.1 => /lib/libnsl.so.1 (0x40029000) libm.so.6 => /lib/libm.so.6 (0x4003f000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40061000) libc.so.6 => /lib/libc.so.6 (0x4008e000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) me@user-119a2lr:~ $ rpm -q xinetd xinetd-2.3.3-15 I don't usually compile my own unless yast can't find it for me, and I'm pretty sure that this was a yast installed version... guess I should try and compile myself... Another good point tho was the questioning about services that aren't being started by xinetd. By default, xinetd on SuSE isn't starting apache - so maybe I shall look this possibility up as well... Geo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8a6S0o2oOGEnz8fYRAqwrAKDHQlX/fpbAGsHDHBHxN3Ba7fz2uACeJd83 MJlLghyY+vDG3AyRm0nreSU= =7Cq7 -----END PGP SIGNATURE-----