Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow]

From: Byron Schlemmer (byrons_at_telkomsa.net)
Date: 08/08/03

  • Next message: John DeStefano: "Re: ports-supfile file problem" 
    To: Schalk Erasmus <schalk@home.incredible.com.na>
Date: Fri, 08 Aug 2003 22:36:09 +0200

    On Thu, 2003-08-07 at 19:24, Schalk Erasmus wrote:
    > Hi,
    >
    > I need to know what the implications are to make use of the hosts.allow file
    > on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is that
    > I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim
    > Server, but with no Firewall (IPTABLES) yet.
    >
    > Besides the fact that it only runs EXIM and Apache, is it necessary to
    > Configure rc.Firewall? or can I only make use of the hosts.allow file?

    Only applications that honour tcp_wrappers use hosts.allow. Therefore to
    ensure that your machine is secure it would be wise to use a firewall of
    some kind.

    > Currently I would only like to allow SSH access from my Home Network,
    > instead of allowing the WORLD.
    >
    > I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based
    > on the new "Access Control File", it is all merged together in one file:
    >
    > # hosts.allow access control file for "tcp wrapped" applications.
    > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $
    > #
    >
    > I take that I should allow the other Services, in this order:
    >
    > sshd : myhomepc : allow
    > exim : ALL : allow
    > httpd : ALL : allow
    > ftpd : ALL : allow
    > ALL : ALL : deny

    That would limit ssh only from myhomepc. So thats correct.

    > What kind of protection does FreeBSD need by Default? Since OpenBSD goes
    > around saying: "SECURE BY DEFAULT" !?

    Hmm, I don't think OpenBSD runs a firewall by default. Basically they
    start you off with a very restrictive setup. FreeBSD is reasonably
    secure "by default" to. But, if you plan to have this box running in a
    ISP environment a firewall would be highly recommended. 

    -- 
	--byron

  • Next message: John DeStefano: "Re: ports-supfile file problem"

    Relevant Pages

    • Re: FreeBSD FTP problem
      ... Subject: FreeBSD FTP problem ... > including the same timeout delays, you can ignore your firewall for the ... But I'm not running any firewall on my server... ... Note that I'm trying to connect to FreeBSD from a windows workstation.... ...
      (freebsd-questions)
    • Weird situation
      ... My last questions here helped me get a firewall to help our network. ... windows 2000 server. ... But the freebsd firewall server can ping the router no problem. ...
      (freebsd-net)
    • Re: firewall for web server
      ... I found a lot of tutorials but for FreeBSD as router. ... are you building a firewall or a web server? ...
      (freebsd-questions)
    • Re: DNS on LAN
      ... I have 3 other machines behind the firewall. ... > with my server for development. ... > I have read the DNS chapter in the FreeBSD book but I am just as ... RFC 973, RFC 974, RFC 1033, ...
      (freebsd-questions)
    • Re: CEICW fails at firewall config
      ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
      (microsoft.public.windows.server.sbs)