Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What's the alternative to using /etc/hosts.allow under RHEL/CentOS 8?
A little research indicates that hosts.{allow,denied} files are obsolete. The same articles seem to suggest using firewalld instead.
My issue is that we don't run firewalld on any of our RHEL/CentOS systems, so am unable to use that. Is there a simpler alternative, similar to how hosts.allow worked?
One alternative for filtering is iptables, or its front-end UFW.
What were you trying to do with TCPwrappers anyway? It has been made redundant since the 1990s, except for a few weird use-cases which also expired shortly thereafter.
Ok. You can, and probably should, do that with iptables.
Alternatively you could take a look at adding Match blocks in /etc/ssh/sshd_config and set up something for Match Address. See "man sshd_config" for that.
I'm certainly no expert, but it is my understanding that firewalld (which I'm learning) is a "front-end" to iptables (about which I have absolutely no clue), and that the "rules" entered in firewalld became entries in iptables.
Actual packet filtering is conducted by the Linux kernel using the Netfilter framework.
iptables (formerly ipchains) is the traditional user space tool (amongst others) used to manipulate Netfilter.
firewalld is a front end to iptables.
The kernel Netfilter framework has been re-engineered to a new framework nftables with a new user space tool, nft, that helps with handling newer networking technologies.
Last edited by allend; 10-23-2019 at 08:22 AM.
Reason: Clarity
The officially supported method of configuring your CentOS or RHEL firewall, is by using firewalld. Some people like to strip out Network Manager and bypass firewalld in favor of iptables/ip6tables, but I do not recommend doing so if your goal is to learn CentOS. Stick to the design.
The RHEL8 documentation on firewalld should cover all the basic configuration.
The officially supported method of configuring your CentOS or RHEL firewall, is by using firewalld. Some people like to strip out Network Manager and bypass firewalld in favor of iptables/ip6tables, but I do not recommend doing so if your goal is to learn CentOS. Stick to the design.
The RHEL8 documentation on firewalld should cover all the basic configuration.
"Stick to the design" is certainly valid advice, but I presume that if one already knows iptables, it would still be valid to use it instead. (I didn't, so I am learning firewalld -- 'tho I've not yet moved to CentOS 8).
Otherwise, I agree with you. Bite the bullet and learn the new way (systemd, anyone? -- not that there's much of an option there )
Thank you for posting that link...Much easier to work with than the man pages.
"Stick to the design" is certainly valid advice, but I presume that if one already knows iptables, it would still be valid to use it instead. (I didn't, so I am learning firewalld -- 'tho I've not yet moved to CentOS 8).
Otherwise, I agree with you. Bite the bullet and learn the new way (systemd, anyone? -- not that there's much of an option there )
Thank you for posting that link...Much easier to work with than the man pages.
The default network packet filter in RHEL 8 is nftables-NOT iptables. Red hat is making a big push toward firewalld.
I would love still to use tcp-wrapper as it has features what firewall is not capable of doing.
Like - it can not filter port by remote host name. So it's kind of MFA protection to your TCP services.
Like on /etc/hosts.allow you could have:
ALL: 192.168.* # allow your local network
sshd: *.cc *.myisp.net # for SSH, allow only from your country cc and from your own ISP (or mobile operator)
/etc/hosts.deny should have:
ALL: ALL # Deny everything else
But because tcpwrappers are not supported on "modern" Linux systems - there should be systemd/socket option for it. Or compile your own tcpd -program to be called for each TCP based service which then would launch actual process.
On old days there was inetd services which were launched when something connected to port being listened. And first it launched tcpd (tcpwrapper) and if connection was accepted then actual process (like telnetd or sshd).
I would love still to use tcp-wrapper as it has features what firewall is not capable of doing.
Like - it can not filter port by remote host name. So it's kind of MFA protection to your TCP services.
Like on /etc/hosts.allow you could have:
ALL: 192.168.* # allow your local network
sshd: *.cc *.myisp.net # for SSH, allow only from your country cc and from your own ISP (or mobile operator)
/etc/hosts.deny should have:
ALL: ALL # Deny everything else
But because tcpwrappers are not supported on "modern" Linux systems - there should be systemd/socket option for it. Or compile your own tcpd -program to be called for each TCP based service which then would launch actual process.
On old days there was inetd services which were launched when something connected to port being listened. And first it launched tcpd (tcpwrapper) and if connection was accepted then actual process (like telnetd or sshd).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.