AHA! I had a feeling something like this was happening...I just didn't know that hosts.allow and hosts.deny were only used by inetd. So, I took your advice and looked into ipchains. Sure enough, it'll do what I need, and true to form with my luck, it's not compiled into my kernel. I'm now looking into finding a precompiled kernel with it in (2.2.x), and while there are a bunch on the debian site, I can't figure out wether they have ipchains compiled in. I'm really trying to avoid having to recompile my kernel, it will take a long time on this machine, and I don't have another machine handy that can do it. Plus I haven't recompiled a kernel for years and I don't want to risk screwing up this machine. As always, this needs to be fixed asap. So, does anyone know of a precompiled 2.2 kernel with ipchains in for Debian? I think the kernel-image-2.2.20 (no suffix) might have it, but I'm not sure. Alternatively, is there a way to get inetd to call exim (my SMTP daemon)? That way I could handle everything using hosts.allow and hosts.deny in the short term, and recompile my kernel and use ipchains in a little while without worrying. Thanks, Josh -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -Douglas Adams Byron A Jeff wrote: > Right. And the reason is that answer to my question above: hosts.allow and > hosts.deny are used by the tcpd program. tcpd is invoked by inetd and is > configured via the /etc/inetd.conf file. For example on one of my machines > here is the POP3 entry in /etc/inetd.conf: > > pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d > > Note that tcpd is invoked, which checks the hosts.allow/hosts.deny and either > allows access by invoking popa3d or denies it. > > But it only works if tcpd is invoked. > > So now here the second question: What happens when you have a service that > doesn't use inetd, and therefore doesn't invoke tcpd? > > Well you've seen your answer from the behavior above. sendmail runs all the > time, owns port 25, and is not invoked by inetd. So the hosts.allow and > hosts.deny files are never checked. > > > > > I just don't understand how I can explicitly deny access, and it works > > for some things but SMTP works great. > > See above. Now how to solve the problem. You need another tool that operates > at the kernel level: packet filtering. And the tools for doing this have > evolved over the years. 2.2 kernels used IPChains, 2.4 kernels use IPTables, > and I'm not sure how in the heck 2.6 kernels do it yet. > > Take a read of this HOWTO, then take another crack at it: > > http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics