FreeBSD - Secure by DEFAULT ?? [hosts.allow]

[Byron Schlemmer]

On Thu, 2003-08-07 at 19:24, Schalk Erasmus wrote:
> Hi,
> 
> I need to know what the implications are to make use of the hosts.allow file
> on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is that
> I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim
> Server, but with no Firewall (IPTABLES) yet.
> 
> Besides the fact that it only runs EXIM and Apache, is it necessary to
> Configure rc.Firewall? or can I only make use of the hosts.allow file?

Only applications that honour tcp_wrappers use hosts.allow. Therefore to
ensure that your machine is secure it would be wise to use a firewall of
some kind. 

> Currently I would only like to allow SSH access from my Home Network,
> instead of allowing the WORLD.
> 
> I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based
> on the new "Access Control File", it is all merged together in one file:
> 
> # hosts.allow access control file for "tcp wrapped" applications.
> # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $
> #
> 
> I take that I should allow the other Services, in this order:
> 
> sshd : myhomepc : allow
> exim : ALL : allow
> httpd : ALL : allow
> ftpd : ALL : allow
> ALL : ALL : deny

That would limit ssh only from myhomepc. So thats correct.

> What kind of protection does FreeBSD need by Default? Since OpenBSD goes
> around saying: "SECURE BY DEFAULT" !?

Hmm, I don't think OpenBSD runs a firewall by default. Basically they
start you off with a very restrictive setup. FreeBSD is reasonably
secure "by default" to. But, if you plan to have this box running in a
ISP environment a firewall would be highly recommended.

-- 

	--byron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030808/3b87a6e9/attachment.bin