2

I'm in the middle of securing an OSX server that is the target of hundreds of automated requests per second from Chinese, Russian and US servers (see: Recovering a server from being an open relay).

I've used ipfw to set up rules that exclude all but local IP requests (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

What is the difference between setting up ipfw rules, and implementing similar rules in hosts.allow/hosts.deny?

As I understand it, the hosts files affect tcp-wrapped services (so may not be as holistic as ipfw). Would that also mean that they come after the firewall (so no point in using both)?

Community
  • 1
brass-kazoo
  • 178
  • 6
  • 1
    From security standpoint there IS a point in using both ipfw and tcp-wrappers because multi-layered defence is more reliable. In practice it sometimes happens that firewall get temporarily disabled for some purpose and not re-enabled for days and weeks by mistake. – AlexD Aug 29 '11 at 05:37

1 Answers1

3

The files hosts.allow and hosts.deny are, so to say, deprecated. They are mainly used for tcp-wrapper and maybe used by other services or applications. But if they are used depends on the implementation of the program.

Using a firewall is the preferred method because their rules are based on IPs, ports and other criteria. The firewall is independent of the application listening on the IP/port and therefore always catches the traffic.

And yes the hosts.* files are effective after the firewall. That said, you do not need them.

Nathan
  • 107
  • 4
mailq
  • 17,023
  • 2
  • 37
  • 69
  • 1
    deprecated? Says who? TCP wrappers (which is the only system using hosts.accept/deny - not mostly, and is not itself a service / application) provides functionality not available in ipfw (and vice versa). – symcbean Aug 29 '11 at 11:44
  • @symcbean Interesting, can you expand on that gap in functionality? – brass-kazoo Aug 29 '11 at 23:29
  • TCP wrappers can call userspace code (see twist, spawn) and link ident lookups (by default ident security is non-existent - but there are extensions). OTOH stuff like rate limiting, masquerading, port redirection are much simpler using the firewall. – symcbean Aug 31 '11 at 12:11
  • You can also allow by DNS entries with hosts.allow, ie `sshd: .domain.com EXCEPT PARANOID` to only allow hosts from *.domain.com with valid forward and reverse DNS entries. – Jodie C May 29 '12 at 02:09