Editorial review of TCP Wrapper chapter.
Change application name to singular. Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
e5c286ee17
commit
07f6c83bcd
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44593
1 changed files with 61 additions and 66 deletions
|
|
@ -51,7 +51,7 @@
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>How to configure <acronym>TCP</acronym> Wrappers for use
|
||||
<para>How to configure <application>TCP Wrapper</application> for use
|
||||
with &man.inetd.8;.</para>
|
||||
</listitem>
|
||||
|
||||
|
|
@ -866,7 +866,7 @@ Enter secret pass phrase: <userinput><secret password></userinput>
|
|||
|
||||
<sect1 xml:id="tcpwrappers">
|
||||
<info>
|
||||
<title>TCP Wrappers</title>
|
||||
<title>TCP Wrapper</title>
|
||||
|
||||
<authorgroup>
|
||||
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
|
||||
|
|
@ -874,55 +874,61 @@ Enter secret pass phrase: <userinput><secret password></userinput>
|
|||
</authorgroup>
|
||||
</info>
|
||||
|
||||
<indexterm><primary>TCP Wrappers</primary></indexterm>
|
||||
<indexterm><primary>TCP Wrapper</primary></indexterm>
|
||||
|
||||
<para><acronym>TCP</acronym> Wrappers extends the abilities of
|
||||
<xref linkend="network-inetd"/> to provide support for every
|
||||
server daemon under its control. It can be configured
|
||||
to provide logging support, return messages to connections, and
|
||||
permit a daemon to only accept internal connections. While some
|
||||
of these features can be provided by implementing a firewall,
|
||||
<acronym>TCP</acronym> Wrappers adds an extra layer of
|
||||
protection and goes beyond the amount of control a firewall can
|
||||
provide.</para>
|
||||
<para><application>TCP Wrapper</application> is a host-based
|
||||
access control system which extends the abilities of
|
||||
<xref linkend="network-inetd"/>. It can be configured
|
||||
to provide logging support, return messages, and
|
||||
connection restrictions for the
|
||||
server daemons under the control of
|
||||
<application>inetd</application>. Refer to &man.tcpd.8; for
|
||||
more information about
|
||||
<application>TCP Wrapper</application> and its features.</para>
|
||||
|
||||
<para><acronym>TCP</acronym> Wrappers should not be considered a
|
||||
<para><application>TCP Wrapper</application> should not be considered a
|
||||
replacement for a properly configured firewall.
|
||||
<acronym>TCP</acronym> Wrappers should be used in conjunction
|
||||
with a firewall and other security enhancements.</para>
|
||||
Instead, <application>TCP Wrapper</application> should be used in conjunction
|
||||
with a firewall and other security enhancements in order to
|
||||
provide another layer of protection in the implementation of a
|
||||
security policy.</para>
|
||||
|
||||
<sect2>
|
||||
<title>Initial Configuration</title>
|
||||
|
||||
<para>To enable <acronym>TCP</acronym> Wrappers in &os;, ensure
|
||||
the &man.inetd.8; server is started from
|
||||
<filename>/etc/rc.conf</filename> with
|
||||
<option>-Ww</option>. Then, properly configure
|
||||
<para>To enable <application>TCP Wrapper</application> in &os;,
|
||||
add the following lines to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>inetd_enable="YES"
|
||||
inetd_flags="-Ww"</programlisting>
|
||||
|
||||
<para>Then, properly configure
|
||||
<filename>/etc/hosts.allow</filename>.</para>
|
||||
|
||||
<note>
|
||||
<para>Unlike other implementations of <acronym>TCP</acronym>
|
||||
Wrappers, the use of <filename>hosts.deny</filename> has
|
||||
been deprecated. All configuration options should be placed
|
||||
<para>Unlike other implementations of
|
||||
<application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is
|
||||
deprecated in &os;. All configuration options should be placed
|
||||
in <filename>/etc/hosts.allow</filename>.</para>
|
||||
</note>
|
||||
|
||||
<para>In the simplest configuration, daemon connection policies
|
||||
are set to either be permitted or blocked depending on the
|
||||
are set to either permit or block, depending on the
|
||||
options in <filename>/etc/hosts.allow</filename>. The default
|
||||
configuration in &os; is to allow a connection to every daemon
|
||||
started with &man.inetd.8;.</para>
|
||||
configuration in &os; is to allow all connections to the daemons
|
||||
started with <application>inetd</application>.</para>
|
||||
|
||||
<para>Basic configuration usually takes the form of
|
||||
<literal>daemon : address : action</literal>, where
|
||||
<literal>daemon</literal> is the daemon which &man.inetd.8;
|
||||
<literal>daemon</literal> is the daemon which <application>inetd</application>
|
||||
started, <literal>address</literal> is a valid hostname,
|
||||
<acronym>IP</acronym> address, or an IPv6 address enclosed in
|
||||
brackets ([ ]), and <literal>action</literal> is either
|
||||
<literal>allow</literal> or <literal>deny</literal>.
|
||||
<acronym>TCP</acronym> Wrappers uses a first rule match
|
||||
semantic, meaning that the configuration file is scanned in
|
||||
ascending order for a matching rule. When a match is found,
|
||||
<application>TCP Wrapper</application> uses a first rule match
|
||||
semantic, meaning that the configuration file is scanned
|
||||
from the beginning for a matching rule. When a match is found,
|
||||
the rule is applied and the search process stops.</para>
|
||||
|
||||
<para>For example, to allow <acronym>POP</acronym>3 connections
|
||||
|
|
@ -933,8 +939,8 @@ Enter secret pass phrase: <userinput><secret password></userinput>
|
|||
<programlisting># This line is required for POP3 connections:
|
||||
qpopper : ALL : allow</programlisting>
|
||||
|
||||
<para>After adding this line, &man.inetd.8; needs to be
|
||||
restarted:</para>
|
||||
<para>Whenever this file is edited, restart
|
||||
<application>inetd</application>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
|
||||
</sect2>
|
||||
|
|
@ -942,7 +948,7 @@ qpopper : ALL : allow</programlisting>
|
|||
<sect2>
|
||||
<title>Advanced Configuration</title>
|
||||
|
||||
<para><acronym>TCP</acronym> Wrappers provides advanced options
|
||||
<para><application>TCP Wrapper</application> provides advanced options
|
||||
to allow more control over the way connections are handled.
|
||||
In some cases, it may be appropriate to return a comment to
|
||||
certain hosts or daemon connections. In other cases, a log
|
||||
|
|
@ -950,15 +956,12 @@ qpopper : ALL : allow</programlisting>
|
|||
administrator. Other situations may require the use of a
|
||||
service for local connections only. This is all possible
|
||||
through the use of configuration options known as
|
||||
<literal>wildcards</literal>, expansion characters and
|
||||
wildcards, expansion characters, and
|
||||
external command execution.</para>
|
||||
|
||||
<sect3>
|
||||
<title>External Commands</title>
|
||||
|
||||
<para>Suppose that a situation occurs where a connection
|
||||
should be denied yet a reason should be sent to the
|
||||
individual who attempted to establish that connection. That
|
||||
host who attempted to establish that connection. That
|
||||
action is possible with <option>twist</option>. When a
|
||||
connection attempt is made, <option>twist</option> executes
|
||||
a shell command or script. An example exists in
|
||||
|
|
@ -970,9 +973,9 @@ ALL : ALL \
|
|||
: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
|
||||
|
||||
<para>In this example, the message <quote>You are not allowed
|
||||
to use <literal>daemon</literal> from
|
||||
<literal>hostname</literal>.</quote> will be returned for
|
||||
any daemon not previously configured in the access file.
|
||||
to use <replaceable>daemon name</replaceable> from
|
||||
<replaceable>hostname</replaceable>.</quote> will be returned for
|
||||
any daemon not configured in <filename>hosts.allow</filename>.
|
||||
This is useful for sending a reply back to the connection
|
||||
initiator right after the established connection is dropped.
|
||||
Any message returned <emphasis>must</emphasis> be wrapped in
|
||||
|
|
@ -980,8 +983,8 @@ ALL : ALL \
|
|||
|
||||
<warning>
|
||||
<para>It may be possible to launch a denial of service
|
||||
attack on the server if an attacker, or group of
|
||||
attackers, could flood these daemons with connection
|
||||
attack on the server if an attacker
|
||||
floods these daemons with connection
|
||||
requests.</para>
|
||||
</warning>
|
||||
|
||||
|
|
@ -990,9 +993,9 @@ ALL : ALL \
|
|||
implicitly denies the connection and may be used to run
|
||||
external shell commands or scripts. Unlike
|
||||
<option>twist</option>, <option>spawn</option> will not send
|
||||
a reply back to the individual who established the
|
||||
a reply back to the host who established the
|
||||
connection. For example, consider the following
|
||||
configuration line:</para>
|
||||
configuration:</para>
|
||||
|
||||
<programlisting># We do not allow connections from example.com:
|
||||
ALL : .example.com \
|
||||
|
|
@ -1004,46 +1007,38 @@ ALL : .example.com \
|
|||
class="fqdomainname">*.example.com</systemitem> and log
|
||||
the hostname, <acronym>IP</acronym> address, and the daemon
|
||||
to which access was attempted to
|
||||
<filename>/var/log/connections.log</filename>.</para>
|
||||
|
||||
<para>This example uses the substitution characters
|
||||
<filename>/var/log/connections.log</filename>. This example
|
||||
uses the substitution characters
|
||||
<literal>%a</literal> and <literal>%h</literal>. Refer to
|
||||
&man.hosts.access.5; for the complete list.</para>
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Wildcard Options</title>
|
||||
|
||||
<para>The <literal>ALL</literal> option may be used to match
|
||||
every instance of a daemon, domain, or an
|
||||
<acronym>IP</acronym> address. Another wildcard is
|
||||
<para>To match every instance of a daemon, domain, or
|
||||
<acronym>IP</acronym> address, use <literal>ALL</literal>. Another wildcard is
|
||||
<literal>PARANOID</literal> which may be used to match
|
||||
any host which provides an <acronym>IP</acronym> address
|
||||
that may be forged. For example,
|
||||
<literal>PARANOID</literal> may be used to define an action
|
||||
to be taken whenever a connection is made from an
|
||||
<acronym>IP</acronym> address that differs from its
|
||||
that may be forged because the
|
||||
<acronym>IP</acronym> address differs from its resolved
|
||||
hostname. In this example, all connection requests to
|
||||
&man.sendmail.8; which have an <acronym>IP</acronym> address
|
||||
<application>Sendmail</application> which have an <acronym>IP</acronym> address
|
||||
that varies from its hostname will be denied:</para>
|
||||
|
||||
<programlisting># Block possibly spoofed requests to sendmail:
|
||||
sendmail : PARANOID : deny</programlisting>
|
||||
|
||||
<caution>
|
||||
<para>Using the <literal>PARANOID</literal> wildcard may
|
||||
severely cripple servers if the client or server has a
|
||||
broken <acronym>DNS</acronym> setup. Administrator
|
||||
discretion is advised.</para>
|
||||
<para>Using the <literal>PARANOID</literal> wildcard will
|
||||
result in denied connections if the client or server has a
|
||||
broken <acronym>DNS</acronym> setup.</para>
|
||||
</caution>
|
||||
|
||||
<para>To learn more about wildcards and their associated
|
||||
functionality, refer to &man.hosts.access.5;.</para>
|
||||
|
||||
<para>Before any of the specific configuration lines above
|
||||
will work, the first configuration line should be commented
|
||||
<note>
|
||||
<para>When adding new configuration lines, make sure that any
|
||||
unneeded entries for that daemon are commented
|
||||
out in <filename>hosts.allow</filename>.</para>
|
||||
</sect3>
|
||||
</note>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue