I think sample /etc/hosts.allow and /etc/hosts.deny files added to either baselayout or tcp-wrappers would be extremely useful, especially now that OpenSSHD is included by default. Not only do apps run through inetd and xinetd look to these files, but some daemons such as OpenSSHD can also use these. A sample hosts.deny could contain lines such as: #ALL: ALL A sample hosts.allow could contain lines like: #sshd: 192.168.0. #sendmail: localhost And things of that nature, with the proper comments about what they do.
I think it will be more appropriate in tcp-wrappers.
It's a simple, good idea. Can this be done please? Adding CC to bug-wranglers
I don't want my /etc-directory cluttered more than necessary, so any addition should be stuffed in the /usr/share/doc/<tcp-wrappers>/ directory. May want to add a pkg_postinst() note about their presence, but people always check the doc directory anyway, right?;)
These files aren't a proper substitute for a firewall. Should we really be encouraging users to use them? They're an old hack from old Unix days when security wasn't as much of an issue as it is now. If you want a firewall, do it properly. I don't think Gentoo should be encouraging bad habits.
# For more information, please see the hosts.allow(5) manpage # Rule format: # daemon : client list # The value for 'daemon' is determined by the name of the binary. # OpenSSH runs as 'sshd' so you would use 'sshd' for 'daemon'. # Client list can be a list of ip's or hostnames. # Allow only sshd connections from ips matching 192.168.0.* #sshd: 192.168.0. # Only allow sendmail connections from the localhost #sendmail: localhost # Allow everyone from foobar.edu to access everything except for # the terminalserver #ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
if thats good enough for the reporter i'll add it so it goes into /usr/share/doc/${PF}/
Yes that is fine. Sorry for the delayed responce. =)
added the sample hosts.allow ... dont think we really need a hosts.deny too