While TCP wrappers can be used to restrict the set of hosts that can establish connections to certain services on a machine, in many cases it is desirable to exert finer-grained control over the packets that can enter (or leave!) a given system. It’s also the case that TCP wrappers only work with services configured using inetd or xinetd; some services (such as sshd on some systems) are “standalone” and provide their own access control features. Still other services don’t implement any access control themselves, so it’s necessary to provide another level of protection if we wish to control the connections made to these services.

Today it is commonplace for Internet users to protect themselves against the threat of network-based attacks using a technique called IP filtering. IP filtering involves having the kernel inspect each network packet that is transmitted or received and deciding whether to allow it to pass, to throw it away, or to modify it in some way before allowing it through. IP filtering is often called “firewalling,” because by carefully filtering packets entering or leaving a machine you are building a “firewall” between the system and the rest of the Internet. IP filtering won’t protect you against virus and Trojan Horse attacks or application defects, but it can protect you against many forms of network-based attacks, such as certain types of DoS attacks and IP spoofing (packets that are marked as coming from a system they don’t really ...