Access to inetd startable services can be controlled through
daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled
for the other services, such as portmap, if they have been compiled
with libwrap libraries.
Format of /etc/hosts.allow and /etc/hosts.deny:
/etc/hosts.allow -- is checked first by tcpd:
if the entries match, the host is allowed to access the service,
otherwise, /etc/hosts.deny is checked -- if the entries match,
the access is denied. If non of the entries match, or both
the files are empty, the access is allowed.
Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts
matching the local network - no domain), KNOWN (resolvable hosts),
PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
sshd: 220.127.116.11 128.6.
in.tftpd: LOCAL, .my.domain
in.rshd: 18.104.22.168 22.214.171.124
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu