I asked > I use the "mostly closed" philosophy of tcp wrappers on my Sun Solaris > servers. My etc/hosts.deny file is ALL:ALL and then I allow specific IP > ranges and specific protocols with my /etc/hosts.allow file. I have an > interesting conundrum. I want to block one specific IP from connecting (via > ssh, in this case), but I still want to allow the rest of the subnet. I do > not have access to the problem child in question, so I can only make changes > on the destination host. > > Right now in my /etc/hosts.allow file is the rule > sshd: 144.74.: severity daemon.info > > I want to prohibit 144.74.75.76 from connecting, but still allow the rest of > 144.74 to connect. Can anyone think of a way to do this short of adding an > "allow" entry for every IP in the hosts.allow file except for that one? The answer: EXCEPT is your friend. In my /etc/hosts.allow I changed the rule to sshd: 144.74. EXCEPT 144.74.75.76: severity daemon.info and it works like a charm. Several people has misconceptions about the tcpd access files. For every connection, the hosts.allow file is processed first and hosts.deny second. As soon as a match is made, it is followed and no more parsing of the files is done. So having sshd:144.74. in the hosts.allow means that anything meeting that definition would be allowed, regardless of the hosts.deny file contents. The "except" does exactly what it sounds like -- it ignores the rule to see if there are subsequent matches... like the deny ALL:ALL In the hosts.deny file. Several people also mentioned using ipfilter / iptables instead, since that is installed wtih Solaris 10. It is, and I use it (on my linux boxes too). But this particular problem was Solaris 9 and Solaris 8 where tcp wrappers had already been built and deployed. Since most of these servers are EOL, I figured it is not worthwhile to port iptables to a server that will go away in six months or so ... Thanks to alanpae@ilkda.com Andrew Brennan <andrew.brennan@drexel.edu> Ric Anderson <ric@Opus1.COM> Stier, Matthew <Matthew.Stier@us.fujitsu.com> grove@zeta.org.au Casper.Dik@Sun.COM Francisco Puente <fpuente00@gmail.com> Chris Hoogendyk <hoogendyk@bio.umass.edu> Juraj Lutter <juraj@lutter.sk> Emmanuel Mejias <emmanuel.mejias@gmail.com> brian.l.jester@accenture.com Emmanuel Mejias <emmanuel.mejias@gmail.com> JULIAN, JOHN C (ATTSI) <jj2195@att.com> Belford, Joseph A II CTR USAF ACC 82 CSS/SCOG <Joseph.Belford.Ctr@langley.af.mil> Chris C <mazzystr@gmail.com> Hackett, Peter <PHackett@talisman-energy.com> Batey, Everett II NAVSEA <everett.batey@navy.mil> D. Ratliff <ddratliff@yahoo.com> Karl Vogel <vogelke+unix@pobox.com> Christopher L. Barnard ------------------- comment your code as if the maintainer is a homicidal maniac who knows where you live. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Sep 14 22:10:09 2010
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:17 EST