I'm in the middle of securing an OSX server that is the target of hundreds of automated requests per second from Chinese, Russian and US servers (see: Recovering a server from being an open relay).
I've used ipfw to set up rules that exclude all but local IP requests (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
What is the difference between setting up ipfw rules, and implementing similar rules in hosts.allow/hosts.deny?
As I understand it, the hosts files affect tcp-wrapped services (so may not be as holistic as ipfw). Would that also mean that they come after the firewall (so no point in using both)?
The files
hosts.allowandhosts.denyare, so to say, deprecated. They are mainly used for tcp-wrapper and maybe used by other services or applications. But if they are used depends on the implementation of the program.Using a firewall is the preferred method because their rules are based on IPs, ports and other criteria. The firewall is independent of the application listening on the IP/port and therefore always catches the traffic.
And yes the
hosts.*files are effective after the firewall. That said, you do not need them.