I'd like to restrict AXFR access. According to the documentation, this is done via tcp_wrappers. So I compiled nsd with "--with-libwrap", but even if I set "axfr : ALL : deny" in /etc/hosts.deny, it allows AXFR-access. Only if I explicitly set "axfr-zone.tld. : ALL : deny" in hosts.deny, access gets restricted. But I'd like to block all access in hosts.deny and only allow access to all zones via hosts.allow to one host (secondary), no zone-specific configuration (so I don't have to add another rule to hosts.allow every time I create a new zone). Any way to do that? -- Fridtjof Busse
On Wed, Nov 12, 2003 at 04:13:00PM +0100, Fridtjof Busse <fbusse at gmx.de> wrote a message of 18 lines which said:> But I'd like to block all access in hosts.deny and only allow access to > all zones via hosts.allow to one host (secondary), no zone-specific > configuration (so I don't have to add another rule to hosts.allow every > time I create a new zone). > Any way to do that?Here is the way I do it: ns2:~ % more /etc/hosts.deny # Block everything ALL: ALL : spawn /bin/logger -i -p daemon.info "%s REFUSED from %a (%h)" : deny ns2:~ % more /etc/hosts.allow # Allow for local network only axfr: 192.134.4.0/255.255.255.0, 192.134.0.49 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow # Per request from Slovenia axfr-si: 192.2.1.0/255.255.255.0 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow