User guide
Chapter 2. Securing Your Network
52
Figure 2.4. Access Control to Network Services
This chapter focuses on the role of TCP Wrappers and xinetd in controlling access to network
services and reviews how these tools can be used to enhance both logging and utilization
management. Refer to Section 2.6, “IPTables” for information about using firewalls with iptables.
2.3.1. TCP Wrappers
The TCP Wrappers packages (tcp_wrappers and tcp_wrappers-libs) are installed by default
and provide host-based access control to network services. The most important component within the
package is the /lib/libwrap.a or /lib64/libwrap.a library. In general terms, a TCP-wrapped
service is one that has been compiled against the libwrap.a library.
When a connection attempt is made to a TCP-wrapped service, the service first references the host's
access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is
allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the
requesting client and the requested service to /var/log/secure or /var/log/messages.
If a client is allowed to connect, TCP Wrappers release control of the connection to the requested
service and take no further part in the communication between the client and the server.
In addition to access control and logging, TCP Wrappers can execute commands to interact with the
client before denying or releasing control of the connection to the requested network service.