# hosts.allow not blocking access



## ph0enix (Oct 20, 2011)

I followed this manual to configure TCP wrappers/host.allow:
http://www.freebsd.org/doc/handbook/tcpwrappers.html

inetd is running with the -Ww options.

I want to block all access from a specific IP address.  The first entry in my hosts.allow is:

ALL : 192.168.1.44 : deny

I'm able to connect to the SMTP and SSH ports from 192.168.1.44 even after restarting inetd.  What am I doing wrong?

Thanks!


----------



## DutchDaemon (Oct 20, 2011)

Both services are probably not started from inetd (almost nothing whatsoever uses inetd nowadays), so tcpwrapping will not have any effect. Use one of the built-in firewalls, and leave inetd alone (i.e. *off*) -- it's really deprecated and it may vanish altogether (if it were up to me).

Modern net services like Sendmail, Postfix, sshd, Apache, imapd, pop3d, etc. etc are all started from /etc/rc.conf nowadays, and they are daemons, instead of instances being launched (and torn down) centrally by inetd.


----------



## kpa (Oct 20, 2011)

That's because those services are not run by inetd(8) but are directly listening for incoming connections.  You'll need a firewall like pf(4) or ipfw(4) for controlling access to such services.


----------



## ph0enix (Oct 20, 2011)

Thanks guys!  Is there anything wrong with using ipf instead of pf or ipfw?  I already have ipf set-up with sshguard on that system.


----------



## DutchDaemon (Oct 21, 2011)

I think that ipf, of the three, is the least actively maintained. Then again, it's almost entirely interchangeable with pf, so you have a way out, and sshguard works with pf just as well.


----------



## ph0enix (Oct 21, 2011)

Interesting tidbit: After reading your replies, I decided to disable hosts.allow so I stopped inetd (disabled it in rc.conf as well) and removed the changes I had made to the file - or so I thought.  I forgot to uncomment the following line:


```
ALL : ALL : allow
```

...so the first actual command was:


```
ALL : PARANOID : RFC931 20 : deny
```

Then I realized that the system wouldn't let me connect via SSH anymore which means that hosts.allow actually works without inetd and it blocks SSH even if it's not defined in inetd.conf.  I rebooted the machine and still couldn't connect to the SSH port.  It kept giving me:


```
You are not welcome to use sshd from...
```

When I realized my mistake, I uncommented the the line and everything was peachy once again.  What gives?


----------



## SirDice (Oct 21, 2011)

Some services do, some don't. It has to be specifically added to the code. But since it's a bit of a relic most newer services don't support it.


----------



## anomie (Oct 21, 2011)

ph0enix said:
			
		

> I followed this manual to configure TCP wrappers/host.allow:
> http://www.freebsd.org/doc/handbook/tcpwrappers.html
> 
> 
> ...



TCP wrappers will provide access control for any daemon that has support compiled in. 


```
%ldd /usr/sbin/sshd | grep libwrap
	libwrap.so.6 => /usr/lib/libwrap.so.6 (0x2812a000)

%ldd /usr/sbin/sendmail | grep libwrap
```

As you noted later in the thread, you have some rule problems if it isn't working for sshd(8). But it's _never_ going to work for sendmail(8), because it's not supported. 

NB: TCP wrappers behave differently than e.g. packet filtering would. A TCP handshake is completed before the session is rejected.


----------

