On a RHEL 7 server, /etc/hosts.allow has a number of IP addresses with full access. The firewall (confirmed with firewall-cmd), there are no specific sources defined, and the default zone allows certain ports and services.
Which takes precedence? Or for a specific example, if an IP address listed in /etc/hosts.allow tries to connect to the server using a port/service not allowed by the firewall rules, could it connect?
Asked
Active
Viewed 859 times
4
dr_
- 28,763
- 21
- 89
- 133
Jon Pennycook
- 43
- 4
1 Answers
7
The answer is no.
Neither between the TCP Wrapper system and the firewall settings takes precedence; rather, they work as layers.
/etc/hosts.allow and /etc/hosts.deny are the host access control files used by the TCP Wrapper system. Each file contains zero or more daemon:client lines. The first matching line is considered.
Access is granted when a daemon:client pair matches an entry in /etc/hosts.allow. Otherwise, access is denied when a daemon:client pair matches an entry in /etc/hosts.deny. Otherwise, access is granted.
Now, if a service has been given access via the TCP Wrapper, but not on the firewall (and the firewall has a "deny all" rule by default, as it should be), the service won't be able to connect to the machine.
I haven't seen much TCP Wrappers configured nowadays -- you can avoid this system, which provides only basic filtering via libwrap, and use just firewalld to allow access to services. It's easier to configure and manage, and more powerful.
dr_
- 28,763
- 21
- 89
- 133