TCP Wrappers

  • Access to inetd startable services can be controlled through daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled for the other services, such as portmap, if they have been compiled with libwrap libraries.

  • Format of /etc/hosts.allow and /etc/hosts.deny: 
    
service_list:  host_list

    /etc/hosts.allow -- is checked first by tcpd: if the entries match, the host is allowed to access the service, otherwise, /etc/hosts.deny is checked -- if the entries match, the access is denied. If non of the entries match, or both the files are empty, the access is allowed.

  • Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts matching the local network - no domain), KNOWN (resolvable hosts), PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
  • Example:
    /etc/hosts.allow 
    
sshd:       165.230.172.13  128.6. 
in.tftpd:   LOCAL, .my.domain
in.rlogind: 128.6.14.216 
in.rshd:    128.6.14.216 128.6.14.211
portmap:    128.6.14.0/25
ALL:        .foobar.edu EXCEPT terminalserver.foobar.edu

    /etc/hosts.deny 
    
ALL: ALL
    Previous Pageprevious First Pagetop Next Pagenext