TCP Wrappers Release Notes
What’s in This Version
TCP Wrapper Features
Chapter 1 7
— The /etc/hosts.allow file is checked first. If a daemon-client pair
matches an entry in this file, access will be granted.
— The /etc/hosts.deny file is checked. If a daemon-client pair
matches an entry in this file, access will be denied.
— If no daemon-client pair match was found in either of the access
control files, access will be granted.
Where “daemon” is the name of a network daemon process and
“client” is the name and/or address of a host requesting the service.
Access control can be turned off by not providing an access control
file.
Examples:
1. To grant access to ftp service to ‘all’, specify the following in
/etc/hosts.allow file:
ftpd:ALL
2. To deny access to the host “some.host.name” and all hosts in the
domain, “some.domain” to all the services, specify the following
entry in the /etc/hosts.deny file:
ALL:some.host.name, .some.domain
3. To grant access to all hosts in the domain “xyz.com” except the
host “abc.xyz.com” for telnet service, specify the following entry
in the /etc.hosts.allow file:
telnetd:.xyz.com EXCEPT abc.xyz.com
NOTE Refer to hosts_access(5) and hosts_options(5) man pages for more
information on the access control language used and the various
options provided by ACLs.
• Hostname/Address Spoofing
The wrapper program offers protection against hosts which pretend
as some other host. If any discrepancies are noticed in the client
address or name, the wrapper program denies access by logging the
information. tcpd also disables the source-routing socket options on
every connection that it deals with. UDP services benefit from this
protection.