tcpwrappers.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>TCP Wrappers</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="One-time Passwords" href="one-time-passwords.html" />
<link rel="NEXT" title="KerberosIV" href="kerberosiv.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="one-time-passwords.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="kerberosiv.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="TCPWRAPPERS" name="TCPWRAPPERS">14.6 TCP Wrappers</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Written by:</span> Tom Rhodes.</i> 

<p>Anyone familiar with <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=inetd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">inetd</span>(8)</span></a> has probably
heard of <acronym class="ACRONYM">TCP</acronym> Wrappers at some point. But few
individuals seem to fully comprehend its usefulness in a network environment. It seems
that everyone wants to install a firewall to handle network connections. While a firewall
has a wide variety of uses, there are some things that a firewall not handle such as
sending text back to the connection originator. The <acronym
class="ACRONYM">TCP</acronym> software does this and much more. In the next few sections
many of the <acronym class="ACRONYM">TCP</acronym> Wrappers features will be discussed,
and, when applicable, example configuration lines will be provided.</p>

<p>The <acronym class="ACRONYM">TCP</acronym> Wrappers software extends the abilities of
<tt class="COMMAND">inetd</tt> to provide support for every server daemon under its
control. Using this method it is possible to provide logging support, return messages to
connections, permit a daemon to only accept internal connections, etc. While some of
these features can be provided by implementing a firewall, this will add not only an
extra layer of protection but go beyond the amount of control a firewall can provide.</p>

<p>The added functionality of <acronym class="ACRONYM">TCP</acronym> Wrappers should not
be considered a replacement for a good firewall; however, but should used in conjunction
with a firewall and other security configurations to add an extra layer of protection for
the system.</p>

<p>Since this is an extension to the configuration of <tt class="COMMAND">inetd</tt>, the
reader is expected have read the <a href="network-inetd.html">inetd configuration</a>
section.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN19395" name="AEN19395">14.6.1 Initial Configuration</a></h2>

<p>The only requirement of using <acronym class="ACRONYM">TCP</acronym> Wrappers in
FreeBSD is to ensure the <tt class="COMMAND">inetd</tt> server is started from <tt
class="FILENAME">rc.conf</tt> with the <var class="OPTION">-Ww</var> option; this is the
default setting. Of course, proper configuration of <tt
class="FILENAME">/etc/hosts.allow</tt> is also expected, but <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=syslogd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">syslogd</span>(8)</span></a> will throw
messages in the system logs in these cases.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Unlike other implementations of <acronym class="ACRONYM">TCP</acronym>
Wrappers, the use of <tt class="FILENAME">hosts.deny</tt> has been deprecated. All
configuration options should be placed in <tt class="FILENAME">/etc/hosts.allow</tt>.</p>
</blockquote>
</div>

<p>In the simplest configuration, daemon connection policies are set to either be
permitted or blocked depending on the options in <tt
class="FILENAME">/etc/hosts.allow</tt>. The default configuration in FreeBSD is to allow
a connection to every daemon started with <tt class="COMMAND">inetd</tt>. Changing this
will be discussed only after the basic configuration is covered.</p>

<p>Basic configuration usually takes the form of <var class="LITERAL">daemon : address :
action</var>. Where <var class="LITERAL">daemon</var> is the daemon name which <tt
class="COMMAND">inetd</tt> started. The <var class="LITERAL">address</var> can be a valid
hostname, an <acronym class="ACRONYM">IP</acronym> address or an IPv6 address enclosed in
brackets ([&nbsp;]). The action field can be either allow or deny to grant or deny access
appropriately. Keep in mind that configuration works off a first rule match semantic,
meaning that the configuration file is scanned in ascending order for a matching rule.
When a match is found the rule is applied and the search process will halt.</p>

<p>Several other options exist but they will be explained in a later section. A simple
configuration line may easily be constructed from that information alone. For example, to
allow <acronym class="ACRONYM">POP</acronym>3 connections via the <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/mail/qpopper/pkg-descr"><tt
class="FILENAME">mail/qpopper</tt></a> daemon, the following lines should be appended to
<tt class="FILENAME">hosts.allow</tt>:</p>

<pre class="PROGRAMLISTING">
# This line is required for POP3 connections:
qpopper : ALL : allow
</pre>

<p>After adding this line, <tt class="COMMAND">inetd</tt> will need restarted. This can
be accomplished by use of the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=kill&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">kill</span>(1)</span></a> command, or
with the <var class="PARAMETER">restart</var> parameter with <tt
class="FILENAME">/etc/rc.d/inetd</tt>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN19432" name="AEN19432">14.6.2 Advanced Configuration</a></h2>

<p><acronym class="ACRONYM">TCP</acronym> Wrappers has advanced options too; they will
allow for more control over the way connections are handled. In some cases it may be a
good idea to return a comment to certain hosts or daemon connections. In other cases,
perhaps a log file should be recorded or an email sent to the administrator. Other
situations may require the use of a service for local connections only. This is all
possible through the use of configuration options known as <var
class="LITERAL">wildcards</var>, expansion characters and external command execution. The
next two sections are written to cover these situations.</p>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN19437" name="AEN19437">14.6.2.1 External Commands</a></h3>

<p>Suppose that a situation occurs where a connection should be denied yet a reason
should be sent to the individual who attempted to establish that connection. How could it
be done? That action can be made possible by using the <var class="OPTION">twist</var>
option. When a connection attempt is made, <var class="OPTION">twist</var> will be called
to execute a shell command or script. An example already exists in the <tt
class="FILENAME">hosts.allow</tt> file:</p>

<pre class="PROGRAMLISTING">
# The rest of the daemons are protected.
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."
</pre>

<p>This example shows that the message, ``You are not allowed to use <var
class="LITERAL">daemon</var> from <var class="LITERAL">hostname</var>.'' will be returned
for any daemon not previously configured in the access file. This is extremely useful for
sending a reply back to the connection initiator right after the established connection
is dropped. Note that any message returned <span class="emphasis"><i
class="EMPHASIS">must</i></span> be wrapped in quote <var class="LITERAL">"</var>
characters; there are no exceptions to this rule.</p>

<div class="WARNING">
<blockquote class="WARNING">
<p><b>Warning:</b> It may be possible to launch a denial of service attack on the server
if an attacker, or group of attackers could flood these daemons with connection
requests.</p>
</blockquote>
</div>

<p>Another possibility is to use the <var class="OPTION">spawn</var> option in these
cases. Like <var class="OPTION">twist</var>, the <var class="OPTION">spawn</var>
implicitly denies the connection and may be used to run external shell commands or
scripts. Unlike <var class="OPTION">twist</var>, <var class="OPTION">spawn</var> will not
send a reply back to the individual who established the connection. For an example,
consider the following configuration line:</p>

<pre class="PROGRAMLISTING">
# We do not allow connections from example.com:
ALL : .example.com \
    : spawn (/bin/echo %a from %h attempted to access %d &gt;&gt; \
      /var/log/connections.log) \
    : deny
</pre>

<p>This will deny all connection attempts from the <tt class="HOSTID">*.example.com</tt>
domain; simultaneously logging the hostname, <acronym class="ACRONYM">IP</acronym>
address and the daemon which they attempted to access in the <tt
class="FILENAME">/var/log/connections.log</tt> file.</p>

<p>Aside from the already explained substitution characters above, e.g. %a, a few others
exist. See the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=hosts_access&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">hosts_access</span>(5)</span></a> manual
page for the complete list.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN19467" name="AEN19467">14.6.2.2 Wildcard Options</a></h3>

<p>Thus far the <var class="LITERAL">ALL</var> example has been used continuously
throughout the examples. Other options exist which could extend the functionality a bit
further. For instance, <var class="LITERAL">ALL</var> may be used to match every instance
of either a daemon, domain or an <acronym class="ACRONYM">IP</acronym> address. Another
wildcard available is <var class="LITERAL">PARANOID</var> which may be used to match any
host which provides an <acronym class="ACRONYM">IP</acronym> address that may be forged.
In other words, <var class="LITERAL">paranoid</var> may be used to define an action to be
taken whenever a connection is made from an <acronym class="ACRONYM">IP</acronym> address
that differs from its hostname. The following example may shed some more light on this
discussion:</p>

<pre class="PROGRAMLISTING">
# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny
</pre>

<p>In that example all connection requests to <tt class="COMMAND">sendmail</tt> which
have an <acronym class="ACRONYM">IP</acronym> address that varies from its hostname will
be denied.</p>

<div class="CAUTION">
<blockquote class="CAUTION">
<p><b>Caution:</b> Using the <var class="LITERAL">PARANOID</var> may severely cripple
servers if the client or server has a broken <acronym class="ACRONYM">DNS</acronym>
setup. Administrator discretion is advised.</p>
</blockquote>
</div>

<p>To learn more about wildcards and their associated functionality, see the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=hosts_access&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">hosts_access</span>(5)</span></a> manual
page.</p>

<p>Before any of the specific configuration lines above will work, the first
configuration line should be commented out in <tt class="FILENAME">hosts.allow</tt>. This
was noted at the beginning of this section.</p>
</div>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="one-time-passwords.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="kerberosiv.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">One-time Passwords</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top"><b class="APPLICATION">KerberosIV</b></td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>