*BSD News Article 73506


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!spool.mu.edu!sgigate.sgi.com!nntp.coast.net!news.kei.com!news.mathworks.com!uunet!in2.uu.net!shemesh.tis.com!dira.rv.tis.com!not-for-mail
From: mark@dira.rv.tis.com (Mark Sienkiewicz)
Newsgroups: comp.unix.bsd.misc
Subject: Re: Tcp Wrappers
Date: 12 Jul 1996 12:23:32 -0400
Organization: Trusted Information Systems
Lines: 25
Message-ID: <4s5u64$m4d@dira.rv.tis.com>
References: <31E63862.36A2@soonet.ca>
Reply-To: mark@tis.com
NNTP-Posting-Host: relay.tis.com

In article <31E63862.36A2@soonet.ca>, Don Joy  <joydon@soonet.ca> wrote:
>I'm using bsd 2.1 and i'm running tcp wrapper to limit who can access
>services, especially telnet.  It works great except if someone telnets
>in using a port parameter such as "telnet host 119".  In this case, the
>access list seems to be bypassed entirely and they are givin access
>where they wouldn't normally have been.  Anyone have a workaround for
>this.  Thanks.

The tcp wrappers work by replacing the service listening on a particular
port.  For example, telnet service is on port 23.  You place a tcp
wrapper on port 23, it recieves the connection, checks it, and if
it likes it, runs the telnet daemon.

It doesn't get involved at all for other services.

If you want to protect other services, you also have to install a
tcp wrapper for them.  For example, you could refuse mail from
a particular site by installing a tcp wrapper on port 25 and
having it run sendmail (with the appropriate flags to make it
handle a SMTP transaction on it's standard input).

I don't know if the NNTP (port 119) server you are using has a
similar feature, but filtering features exist in every NNTP 
implementation I've ever seen.  (e.g. you can configure who
can read news from your machine.)