Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You should always prefer to block ports at firewall level. TCP wrappers can be used but it is the responsibility of a service to check for the tcp wrappers configuration and check if connections are allowed or denied. In sense, connections are allowed to the system and hence not as secure as firewalls.
While this all said, if you want to deny connections you should use firewalls or tcp wrappers, but stopping a service does not solve the issue in a correct way if you want service running for your purpose.
Last edited by linuxlover.chaitanya; 09-09-2010 at 07:24 AM.
kills the service if it's running right now. That's the answer. All the rest of this talk about xinetd, hosts.[allow|deny], firewalls, tcp wrappers, etc. is about configuring and controlling access to a running service.
linuxlover.chaitanya is correct:
Blocking the port AND disabling the service are both EQUALLY important.
Actually ... if there's nothing LISTENING on the port blocking
it at a firewall layer makes no sense, really. Just extra CPU
cycles burnt for no good reason. It's like putting a pad-lock
up on a wall (instead of on a door).
It won't harm (anything but your wallet), but it won't improve
the safety of your home.
There is no mention that service is not listening. And the thread title says it all, OP wants to block the smtp and ftp requests. He might not have an idea if requests are coming or not.
And I have already said this,
There is no mention that service is not listening. And the thread title says it all, OP wants to block the smtp and ftp requests. He might not have an idea if requests are coming or not.
And I have already said this,
Indeed ... so you're just proving my point. :}
It's part of a hardening exercise, getting rid of
unnecessary services. To me this suggests disabling.
Even if BLOCKING is the desired result it's silly
to keep the service running and drop all its packets
via firewall; you're using two lots of memory and
CPU cycles - for what? Keeping the server room warm?
After all pinga didn't say "I want to disallow certain
machines to talk ftp and smtp at my server". The desired
result implied by "block" is no traffic. And that's more
easily (and cheaper in terms of system resources) done
by turning the service off.
This what I meant in my first post here. But my point responding here was not that. Most people were talking about using TCP wrappers. my main response was to this issue that if need arise to block the requests to certain port, better way is to use iptables firewalls instead of TCP wrappers.
When i started the thread i never thought of getting these many replies .Thanks guys specially Chaitanya for clearing most of doubts in my mind.
U guys rock the forum.
This is what i have learned from this thread Correct me if i m wrong.
The best way to disable any service is to block its port using firewall as well as block the service using chkconfig This prevents service to unnecessarily generate packets that get blocked by firewall in case the port is blocked.
Next for customized service block request tcp wrapper files comes handy.
I m still little unconfirtable with /etc/xinetd.d/ but i think over the time i will learn about this.
Once again thanks .
The best way to disable any service is to block its port using firewall as well as block the service using chkconfig This prevents service to unnecessarily generate packets that get blocked by firewall in case the port is blocked.
No. Even though my response was flagged as unhelpful
by several people it's not correct to primarily block
the port via firewall.
If the service isn't running there's no need for a
firewall rule for it; as I pointed out already you're
just wasting RAM and CPU cycles to maintain lists and
filter packets against extra ports that no one would
be listing on in the first place.
A firewall rule makes sense if you want to block CERTAIN
people (IPs, subnets, ...) from accessing a service
you don't want to shut down all together.
It's a weird thought that numbers of opinion may become
more important than understanding the task at hand. =D
For me this thread is a classic case against the rating
scheme we introduced here at LQ.
No. The best way to disable service is to not start it. Disable it with chkconfig. If this is the case, no need to block it at firewall. It will anyhow not accept the connections. But if you need to keep the service running but want to cut out the incoming connections from specific addresses, then use firewall, better than TCP wrappers.
Tink beat me on this. Finally we have same opinion.
Last edited by linuxlover.chaitanya; 09-13-2010 at 12:14 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
