Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 20073

Summary: Suggestion: Add sample /etc/hosts.allow /etc/hosts.deny files
Product: Gentoo Linux Reporter: PJ <PJ>
Component: [OLD] ServerAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: ciaran.mccreesh
Priority: High    
Version: 1.4_rc4   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description PJ 2003-04-27 18:40:06 UTC 
I think sample /etc/hosts.allow and /etc/hosts.deny files added to either 
baselayout or tcp-wrappers would be extremely useful, especially now that 
OpenSSHD is included by default. Not only do apps run through inetd and xinetd 
look to these files, but some daemons such as OpenSSHD can also use these.

A sample hosts.deny could contain lines such as:
#ALL:    ALL

A sample hosts.allow could contain lines like:
#sshd:           192.168.0.
#sendmail:       localhost

And things of that nature, with the proper comments about what they do.
Comment 1 Martin Schlemmer (RETIRED) gentoo-dev 2003-04-28 17:09:09 UTC 
I think it will be more appropriate in tcp-wrappers.
Comment 2 Andrew Cooks (RETIRED) gentoo-dev 2003-12-11 14:53:02 UTC 
It's a simple, good idea. Can this be done please?

Adding CC to bug-wranglers
Comment 3 Karl Trygve Kalleberg (RETIRED) gentoo-dev 2003-12-11 15:11:16 UTC 
I don't want my /etc-directory cluttered more than necessary, so any addition should be stuffed in the /usr/share/doc/<tcp-wrappers>/ directory. 

May want to add a pkg_postinst() note about their presence, but people always check the doc directory anyway, right?;)
Comment 4 Ciaran McCreesh 2003-12-11 15:11:35 UTC 
These files aren't a proper substitute for a firewall. Should we really be
encouraging users to use them? They're an old hack from old Unix days when
security wasn't as much of an issue as it is now. If you want a firewall, do
it properly. I don't think Gentoo should be encouraging bad habits.
Comment 5 SpanKY gentoo-dev 2004-01-03 12:12:42 UTC 
# For more information, please see the hosts.allow(5) manpage

# Rule format:
# daemon : client list
# The value for 'daemon' is determined by the name of the binary.
# OpenSSH runs as 'sshd' so you would use 'sshd' for 'daemon'.
# Client list can be a list of ip's or hostnames.

# Allow only sshd connections from ips matching 192.168.0.*            
#sshd: 192.168.0.

# Only allow sendmail connections from the localhost
#sendmail: localhost

# Allow everyone from foobar.edu to access everything except for
# the terminalserver 
#ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
Comment 6 SpanKY gentoo-dev 2004-01-03 12:13:02 UTC 
if thats good enough for the reporter i'll add it so it goes into /usr/share/doc/${PF}/
Comment 7 PJ 2004-01-10 17:16:18 UTC 
Yes that is fine. Sorry for the delayed responce. =)
Comment 8 SpanKY gentoo-dev 2004-01-25 15:05:29 UTC 
added the sample hosts.allow ... dont think we really need a hosts.deny too