Subject: Re: Firewalling Hosts
To: Adam Alexander <yacko@cherokee.wildstar.net>
From: Nico van Eikema Hommes <hommes@derioc1.organik.uni-erlangen.de>
List: port-mac68k
Date: 04/27/1997 23:06:18
    Hi Adam,

>> I would like to be able to setup a firewall type of thing that serves
>> these goals:
>> 1) Allow hosts set to connect
>> 2) Deny hosts not in the list
>> 3) Send a message to the denied hosts explaining what happened
>>
>> Is this possible with netbsd? I know it is with Linux and their oh so
>> lovable hosts.allow and hosts.deny.
> [...]
>You described a host which is picky about what computer can connect. I
>think that's easier to do, and (like I said) recently supported.

The "hosts.allow" and "hosts.deny" files are part of the "tcp-wrappers"
package by Wietse Venema. You can install this package on any host, it
compiles out of the box (as long as you don't have an SGI...), and does
not need special support in the kernel. Basically, it replaces a couple
of daemons (e.g. telnetd, logind, ftpd, etc.) and simply calls these to
handle an incoming connection request only after having ascertained that
the connecting host is in the trustworthy enough.
It comes with extensive documentation on how to set it up, lots of hints
on how to make your system (even more) secure, pointers to further info,
etc. It is available via ftp, but I could not find the URL where I got it
from. The documentation mentions ftp.win.tue.nl:/pub/security/ and
cert.org:/pub/tools/tcp_wrappers/, but there definitely are other sites
that have it (e.g. the Linux distribution sites).

Best wishes,

          Nico

--
  Dr. N.J.R. van Eikema Hommes     Computer-Chemie-Centrum
  hommes@ccc.uni-erlangen.de       Universitaet Erlangen-Nuernberg
  Phone:    +49-(0)9131-856532     Naegelsbachstr. 25
  FAX:      +49-(0)9131-856566     D-91052 Erlangen, Germany