From owner-freebsd-isp@FreeBSD.ORG  Sat Aug  2 01:55:16 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4F71737B401
	for <freebsd-isp@freebsd.org>; Sat,  2 Aug 2003 01:55:16 -0700 (PDT)
Received: from emerald.incredible.com.na (nsp.incredible.com.na
	[196.44.138.114])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2002143F75
	for <freebsd-isp@freebsd.org>; Sat,  2 Aug 2003 01:55:15 -0700 (PDT)
	(envelope-from schalk@home.incredible.com.na)
Received: from [10.222.101.2] (helo=Fujitsu)
	by emerald.incredible.com.na with smtp (Exim 4.12)
	id 19is8n-0003Er-00
	for freebsd-isp@freebsd.org; Sat, 02 Aug 2003 09:53:29 +0100
Message-ID: <000a01c358d3$dcc94eb0$0265de0a@Fujitsu>
From: "Schalk Erasmus" <schalk@home.incredible.com.na>
To: <freebsd-isp@freebsd.org>
Date: Sat, 2 Aug 2003 09:55:45 +0100
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: FreeBSD - Secure by DEFAULT ??
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Aug 2003 08:55:16 -0000

Hi,

I need to know what the implications are to make use of the hosts.allow file
on a FreeBSD Production Server (ISP Setup)?

The reason I'm asking, is that I've recently decommisioned a Linux SendMail
Server to a FreeBSD Exim Server, but with no Firewall (IPTABLES) yet.

Besides the fact that it only runs EXIM and Apache, is it necessary to
Configure rc.Firewall? or can I only make use of the hosts.allow file?

Currently I would only like to allow SSH access from my Home Network,
instead of allowing the WORLD.

I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based
on the new "Access Control File", it is all merged together in one file:

#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#       See hosts_options(5) for the format of this file.
#       hosts_access(5) no longer fully applies.
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny


Should I make the following changes to this file? (I'm afraid I might get
kicked out)

ALL : ALL : deny
sshd : myhomepc.baboon.com : allow


What kind of protection does FreeBSD need by Default? Since OpenBSD goes
around saying: "SECURE BY DEFAULT" !?


Just asking.....

Regards
Schalk Erasmus