Putting It All Together: An Example

The following examples use DNS hostnames for clarity. However, in general, it is more secure to use TCP Wrappers with explicit IP addresses.

Suppose that you want to allow all connections to your computer, except those from the computers in the domain pirate.net, with a simple /etc/hosts.allow file. Specify:

#
# /etc/hosts.allow:
#
# Allow anybody to connect to our machine except people from pirate.net.
#
all : .pirate.net : deny
all : all         : allow

Suppose that you want to modify your rules to allow the use of finger from any of your internal machines, but you want to have external finger requests met with a canned message. You might try this configuration file:

#
# /etc/hosts.allow:
#
# Allow finger from internal machines; give banner to others.
# Otherwise, allow anybody to connect except people from pirate.net.
#
#
in.fingerd : LOCAL : allow
in.fingerd : all : twist /usr/local/bin/external_fingerd_message
all : .pirate.net : deny
all : all : allow

If you don’t want to allow pirate.net hosts to finger at all, reverse the order of the second and third rule so that the rules denying pirate.net hosts would match first.

If you discover repeated break-in attempts through telnet and rlogin from all over the world, but you have a particular user who needs to telnet into your computer from the host sleepy.com, you could accomplish this somewhat more complex security requirement with the following configuration file:

# # /etc/hosts.allow: # # Allow email from ...

Get Practical UNIX and Internet Security, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.