1

How do I configure hosts.allow and hosts.deny to allow all connections from all hosts except for some hosts/ports specified in hosts.deny?

This is what I have now in these files:

hosts.allow:

ALL:ALL

hosts.deny:

somehost:someport

I want to allow all connections except for somehost:someport, but the above configuration does not work.

EDIT:

Well, I found out in this case hosts.allow should be an empty file, but it's still allowing connections on someport...

  • 1
    The hosts.allow/deny stuff only works for servers linked to tcpwrappers. If you don't know if that's the case for your server, try blocking everything and see if you can still connect. – symcbean Nov 17 '10 at 12:47

2 Answers2

3

You've got it backwards.

It should be like this:

someport : somehost

The syntax is actually more expressive than this: the port and the hosts can be lists, and the port can instead be specified by daemon name instead of port number, for example. Your system ought to have documentation for the format of the file.

And you're right about hosts.allow, it should be empty as the default action is to accept.

mark
  • 2,325
  • 14
  • 10
  • I now have my hosts.allow file empty and someport:ALL line in hosts.deny - but it still allows connections on someport - I don't know what's wrong now? –  Nov 17 '10 at 12:46
  • BTW I straced inetd and tcpd opens and reads contents of the hosts.deny file when something tries connecting on someport. –  Nov 17 '10 at 13:00
1

You can also use the extended format described in hosts_options(5) and use /etc/hosts.allow only.

adamo
  • 6,867
  • 3
  • 29
  • 58
  • I think this is the best approach. Put ALL:ALL in `hosts.deny`, and make exceptions in `hosts.allow`. In this case (allow most everything), that means starting with a really large exception -- but that's okay. – mattdm Nov 17 '10 at 15:19