I solved the problem shortly after posting, and then twice sent private rather than list-directed explanations by accident.
As a listmember pointed out, the problem was in my hosts.deny file, not hosts.allow. Once I read the man page carefully I changed the line to ALL: ALL and telnet/ftp/smtp were locked. Oddly, this *didn't* lock http (port 80), though. A quick check of inetd.conf indicated that inetd doesn't handle http connections. So I edited boa.conf to only "listen" for connections from 127.0.0.1. (I only have a web server at all to handle dwww.) Now all ports are closed. Interestingly, the scanner at www.gsr.com still shows my ftp, smtp, and telnet ports as "open". My tests indicate that one can connect to the port, but not actually do anything before my host closes the connection again. Someone suggested using IPCHAINS. The thing is, my only goal is to lock *everyone* outside my local LAN out, while trusting everyone within 198.162. If I need more complex rules, I will investigate IPCHAINS. Thanks to those who replied. -- Carl Fink [EMAIL PROTECTED] I-Con's Science and Technology Guest of Honor in 2000 will be Geoffrey A. Landis. See <http://www.iconsf.org> for I-Con information.
