![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Fedora TCP Wrappers
Fedora ships with TCP Wrappers and every application that supports TCP Wrappers is shipped with libwrap enabled.
Less thrillingly, the default configuration disables TCP Wrappers. Let's fix that. Edit /etc/hosts.deny to deny access by default:
ALL: ALL
Obviously the local machine should be able to access itself using IPv4 and IPv6, so edit /etc/hosts.allow to read:
ALL: 127.
ALL: [::1]/128
Now for every application that needs access, add a line to /etc/hosts.allow. For example, Fedora runs sshd:
sshd: ALL
Another example, a e-mail server might have:
sendmail: ALL
imapd: ALL
The scanner used on the local NATed network might be:
saned: 192.168.1.0/255.255.255.0
One trick is the XINetD meta-daemon. The name used in hosts.allow is the program basename on the "server =" line, not the name in the "service" line.
For example, a TFTP daemon could have a /etc/xinetd.d/tftp of:
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -U 117 -c -s /tftpboot -vvv
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
would have a hosts.allow of:
in.tfptd: 192.168.1.0/255.255.255.0