Subject: Re: Help for a newbie
From: Matthew Geier (matthew@arts.usyd.edu.au)
Date: Wed Sep 20 2000 - 17:53:58 EDT
Matthew Temple wrote:
>
> All,
>
> I believe that the tcp_wrapper support available through
> inetd is specifically for services that don't know anything about
> libwrap and so must call tcpd for this kind of handling. Doesn't
> netatalk use libwrap calls to call the library directly so that
> the /etc/hosts.allow file is what's really used as a basis.
Yes, NetAtalk uses the library directly. I use, and have gotten some
one to test
for me, IP blocking. No one outside the campus can connect. It works.
The outsider
didn't get a response from the server on his mac.
> > I bow to your grater knowledge. :-) Ipchains is it.
> >
> > > Beyond that, it seems to me that both the ipchains and tcp wrappers
> > >solutions would block *all* access, or none; neither could be used to
> > >limit it to guest access. What Colin was asking for is access control
> > >based on both IP and user ID.
That is some what more difficult. But my problem was of course that
ANYONE could connect as guest, not just our people. Thus we had licenced
software available to the world. The NetAtalk server is protected by TCP
wrappers, and our ASIP server is protected by the MacOS equivalent of a
kernel firewall rules called TCP Filter.
Being a University, by history we are not firewalled to the hilt like
most modern commercial organisations. Of course our greatest threat is
probably inside, not outside :-)
-- Matthew Geier matthew@arts.usyd.edu.au Arts IT Unit +61 2 9351 4713 Sydney University
This archive was generated by hypermail 2b28 : Wed Jan 17 2001 - 14:32:12 EST