[Eug-lug] Wrapping for Access Control

[Jeff_W]

nparker at LLX.COM (Neil Parker) wrote:

> >I don't understand TCP wrappers, but from Bob's comment I'd guess the
> >wrapper is listening to port:70(?)
>
> Actually, TCP wrappers doesn't listen on ANY port.
>
> Understanding TCP wrappers requires understanding how inetd works.
> Inetd reads a configuration file (/etc/inetd.conf) that tells it what
> ports to listen on, and what client programs to invoke when something tries
> to connect to those ports.  Inetd handles all the socket programming itself,
> and when it launches a client program to handle an incoming request, it
> connects the program's standard input and output to the socket.  So all the
> client program has to do is read from its standard input and write to its
> standard output.
>
> TCP wrappers includes a special client program called "tcpd".  The idea is
> that you tell inetd (via /etc/inetd.conf) to launch tcpd instead of the
> real client program.  Tcpd checks the origin of the connection using its
> hosts.allow and hosts.deny files, and if the tests pass, it launches the
> real client program.
>
>
> Programs that don't expect to run under inetd have to do all their socket
> handling all by themselves.  Fixing a standalone program to work under
> inetd generally means ripping out all that socket handling code and
> replacing it code that just reads from standard input and writes to
> standard output.

Hey Neil - thanks for the concise inetd explaination. I
don't really care about using inetd so much as having the
host access control provided by TCP Wrappers; it just seems
that TCPW is married to inetd (with the exception of sshd
and maybe sendmail).  I think ultimately I'm going to need
to rely on a firewall to get real security, however the
simplicity of TCP Wrappers _is_ very attractive.  I've
installed the tcpserver stuff but it looks pretty cryptic
so far; maybe if I just stare at it long enough ....

-Jeff