March 29, 2001, 5:57 PM —
TCP wrappers are intended to provide wrapper daemons that can be installed without any changes to existing software. Most TCP/IP applications depend on the client/server model -- i.e., when a client requests a connection, a server process is started on the host. TCP wrappers work by interposing an additional layer, or wrapper, between client and server.
In the basic service, the wrapper simply logs the name of the client host and requested service, then hands this information over to the real daemon; it neither exchanges information with the client or server nor imposes overhead on the actual conversation between the two. Optional features may be enabled, including access control, client-user name lookups, and additional protection against hostname spoofing.
(The current version of the software, 7.6, can be obtained via FTP. See the Resources section below for the URL.)
Compilation
Many Unix flavors are supported by TCP wrappers, so you shouldn't have any trouble building from source. There are, however, a few decisions to make at compile time. Features, for example, can be turned on or off through definitions. Here is a list, with default values shown where appropriate:
STYLE = -DPROCESS_OPTIONS: |
Enable language extensions. This is disabled by default. |
FACILITY = LOG_MAIL: |
Where do log records go? I prefer to set this to LOG_DAEMON so that everything goes to /var/log/daemon. |
SEVERITY = LOG_INFO: |
Indicates what level to give to the log message. The default, LOG_INFO, is fine. |
HOSTS_ACCESS: |
When compiled with this option, wrapper programs support a simple form of access control. Because this is the raison d'être of the suite, it's defined by default. |
PARANOID: |
When compiled with -DPARANOID, wrappers will always try to look up and double-check the client hostname, and will always refuse service in the case of a discrepancy between hostname and IP address. This is a reasonable policy for most systems. When compiled without -DPARANOID, wrappers still perform hostname lookup; however, where such lookups give conflicting results for hostname and IP address, hosts are not automatically rejected. They can be matched with the PARANOID wildcard in the access files, and a decision is made on whether or not to grant access. |
DOT = -DAPPEND_DOT: |
This appends a dot to every domain name -- transforming example.com into example.com. for instance. This is done because on many Unix systems the resolver will append substrings of the local domain and try to look up those hostnames before trying to resolve the name it has actually been given. Use of the APPEND_DOT feature stops this waste of time and resources. It is off by default. |
AUTH = -DALWAYS_RFC931: |
Will cause the system to always try to look up the remote username. For this to be of any use, the remote host must run a daemon that supports the finger protocol. Such lookups aren't possible for UDP-based connections. |
