Actually I'd prefer to stick with this simple solution, but maybe someone has convincing arguments against this approach... So what happens to services whose access is not controlled by tcpwrappers. Say somehow you have mysqld runnign in the background. Anyone from the net would be able to access your system via mysql and if there was a vulnerability in it they could exploit it same would go for a service like sendmail etc. But an ipchains firewall with default to deny could be configured to only allow in those connections you need and by default block all other connections.
The basic premise of any type of security is defense in depth. Programers, maintainers, users, and network admins (like you) ALL make mistakes. One example is with openssh on SuSE 7.0 not being compiled with libwrap support.. That would be a maintainer problem, and you could be forgiven for setting up your hosts.access system and not testing whether sshd was actually denying the connections it should be... Running MySQL and not adding --skip-networking to /etc/rc.d/mysql if you don't need a network socket would be an example of a mistake made by you.. A buffer overflow would be a programming mistake.. everyone makes them, and that is why security consultants like myself (and half of the rest of the list) will have a very lucrative job for many years to come... The only way to defend against mistakes, both yours and others, is to put as many checks in as possible. Therefore, is you have a pop server that needs to only accept connections from a certain ip range(s) you would: a) Deny ALL, and allow the specific range with tcp wrappers b) Deny ALL, and allow the specific range with a host based firewall like SuSEfirewall c) Deny ALL, and allow the specific range with for frontline network firewall. (This is more likely to be something like FW-1, Gauntlet of PIX, but could be something simple like SuSEfirewall running on a standalone server) d) Deny ALL, and allow the specific range on your border router. (All but the cheapest of routers have at least some basic ACL capabilities) You can see how this would stop a problem with up to 3 of your 4 checks from compromising the security of your system... I hope that helped... Regards --- Nix - nix@susesecurity.com http://www.susesecurity.com