Blocking IP Addresses with TCP Wrappers

Packet-filter firewalls can be extremely effective at blocking access based on IP addresses and port numbers, but they aren't the only tools for doing so. TCP Wrappers (covered in this section) and xinetd (covered in the upcoming section, "Enhanced xinetd Access Restrictions") are two other tools that can block access based on IP addresses. In many respects, TCP Wrappers and xinetd are less flexible tools than are packet-filter firewalls. For example, they can't block access to servers that aren't launched from a super server or designed to use them, and they can't intercept traffic targeted at or sent by clients. Nonetheless, TCP Wrappers and xinetd can do a few things that packet-filter firewalls can't do, such as log and restrict based on the remote user's username (if the remote system is running identd or an equivalent server). For these reasons and because system security is best implemented in layers, you may want to use TCP Wrappers or xinetd instead of or in addition to iptables.

TCP Wrappers is most commonly used on systems that run the inetd super server, which is described in Chapter 22. A few stand-alone servers, such as the NFS server, can use it, as well. It's possible to use TCP Wrappers in conjunction with the xinetd super server, but for the most part there's no reason to do so, because xinetd includes functionality similar to that of TCP Wrappers. Distributions that use inetd by default, and for which TCP Wrappers is therefore most important, include Debian, Slackware, and SuSE.

0 0

Post a comment