source: basicnet/netprogs/tcpwrappers.xml@ 0aeb696

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

    <!-- Inserted as a reminder to do this. The mention of a test suite
         is usually right before the root user installation commands. Please
         delete these 12 (including one blank) lines after you are done.-->

    <!-- Use one of the two mentions below about a test suite,
         delete the line that is not applicable. Of course, if the
         test suite uses syntax other than "make check", revise the
         line to reflect the actual syntax to run the test suite -->

    <!-- <para>This package does not come with a test suite.</para> -->
    <!-- <para>To test the results, issue: <command>make check</command>.</para> -->

  <!ENTITY tcpwrappers-download-http "http://files.ichilton.co.uk/nfs/tcp_wrappers_&tcpwrappers-version;.tar.gz">
  <!ENTITY tcpwrappers-download-ftp  "ftp://ftp.porcupine.org/pub/security/tcp_wrappers_&tcpwrappers-version;.tar.gz">
  <!ENTITY tcpwrappers-md5sum        "e6fa25f71226d090f34de3f6b122fb5a">
  <!ENTITY tcpwrappers-size          "97 KB">
  <!ENTITY tcpwrappers-buildsize     "1.09 MB">
  <!ENTITY tcpwrappers-time          "0.03 SBU">
]>

<sect1 id="tcpwrappers" xreflabel="tcpwrappers-&tcpwrappers-version;">
  <?dbhtml filename="tcpwrappers.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
    <keywordset>
      <keyword role="package">tcp_wrappers_&tcpwrappers-version;.tar</keyword>
      <keyword role="ftpdir">tcp_wrappers</keyword>
    </keywordset>
  </sect1info>

  <title>Tcpwrappers-&tcpwrappers-version;</title>

  <indexterm zone="tcpwrappers">
   <primary sortas="a-Tcpwrappers">Tcpwrappers</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Tcpwrappers</title>

      <para>The <application>tcpwrappers</application> package provides daemon
      wrapper programs that report the name of the client requesting network
      services and the requested service.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&tcpwrappers-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&tcpwrappers-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &tcpwrappers-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &tcpwrappers-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &tcpwrappers-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &tcpwrappers-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing='compact'>
      <listitem>
        <para>Required Patch (Fixes some build issues and adds building of a
        shared library): <ulink
        url="&patch-root;/tcp_wrappers-&tcpwrappers-version;-shared_lib_plus_plus-1.patch"/></para>
      </listitem>
    </itemizedlist>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/tcpwrappers"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Tcpwrappers</title>

    <para>Install <application>tcpwrappers</application> with the following
    commands:</para>

<screen><userinput>patch -Np1 -i ../tcp_wrappers-&tcpwrappers-version;-shared_lib_plus_plus-1.patch &amp;&amp;
sed -i -e "s,^extern char \*malloc();,/* &amp; */," scaffold.c &amp;&amp;
make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux</userinput></screen>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><command>sed -i -e ... scaffold.c</command>: This command removes an
    obsolete C declaration which causes the build to fail if using
    <application>GCC-3.4.x</application>.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Tcpwrappers</title>

    <sect3 id="tcpwrappers-config">
      <title>Config Files</title>

      <para><filename>/etc/hosts.allow</filename> and
      <filename>/etc/hosts.deny</filename></para>

      <indexterm zone="tcpwrappers tcpwrappers-config">
        <primary sortas="e-etc-hosts.allow">/etc/hosts.allow</primary>
      </indexterm>

      <indexterm zone="tcpwrappers tcpwrappers-config">
        <primary sortas="e-etc-hosts.deny">/etc/hosts.deny</primary>
      </indexterm>

      <para>File protections: the wrapper, all files used by the wrapper,
      and all directories in the path leading to those files, should be
      accessible but not writable for unprivileged users (mode 755 or mode
      555). Do not install the wrapper set-uid.</para>

      <para>As the <systemitem class="username">root</systemitem> user,
      perform the following edits on the
      <filename>/etc/inetd.conf</filename> configuration file:</para>

      <indexterm zone="tcpwrappers tcpwrappers-config">
        <primary sortas="e-etc-inetd.conf">/etc/inetd.conf</primary>
      </indexterm>

<screen><literal>finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd</literal></screen>

      <para>becomes:</para>

<screen><literal>finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd</literal></screen>

      <note>
        <para>The <command>finger</command> server is used as an example here.</para>
      </note>

      <para>Similar changes must be made if <application>xinetd</application> is
      used, with the emphasis being on calling <command>/usr/sbin/tcpd</command>
      instead of calling the service daemon directly, and passing the name of the
      service daemon to <command>tcpd</command>.</para>

      <indexterm zone="tcpwrappers tcpwrappers-config">
        <primary sortas="e-etc-xinetd.conf">/etc/xinetd.conf</primary>
      </indexterm>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Library</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>tcpd, tcpdchk, tcpdmatch, try-from, and safe_finger</seg>
        <seg>libwrap.{so,a}</seg>
        <seg>None</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="tcpd">
        <term><command>tcpd</command></term>
        <listitem>
          <para>is the main access control daemon for all Internet services,
          which <command>inetd</command> or <command>xinetd</command>
          will run instead of running the requested service daemon.</para>
          <indexterm zone="tcpwrappers tcpd">
            <primary sortas="b-tcpd">tcpd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="tcpdchk">
        <term><command>tcpdchk</command></term>
        <listitem>
          <para>is a tool to examine a <command>tcpd</command> wrapper
          configuration and report problems with it.</para>
          <indexterm zone="tcpwrappers tcpdchk">
            <primary sortas="b-tcpdchk">tcpdchk</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="tcpdmatch">
        <term><command>tcpdmatch</command></term>
        <listitem>
          <para>is used to predict how the TCP wrapper
          would handle a specific request for a service.</para>
          <indexterm zone="tcpwrappers tcpdmatch">
            <primary sortas="b-tcpdmatch">tcpdmatch</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="try-from">
        <term><command>try-from</command></term>
        <listitem>
          <para>can be called via a remote shell command to find out if the
          host name and address are properly recognized.</para>
          <indexterm zone="tcpwrappers try-from">
            <primary sortas="b-try-from">try-from</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="safe_finger">
        <term><command>safe_finger</command></term>
        <listitem>
          <para>is a wrapper for the <command>finger</command> utility, to
          provide automatic reverse name lookups.</para>
          <indexterm zone="tcpwrappers safe_finger">
            <primary sortas="b-safe_finger">safe_finger</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libwrap">
        <term><filename class='libraryfile'>libwrap.{so,a}</filename></term>
        <listitem>
          <para>contains the API functions required by
          the <application>tcpwrappers</application> programs as well as other programs
          to become <quote><application>tcpwrappers</application>-aware</quote>.</para>
          <indexterm zone="tcpwrappers libwrap">
            <primary sortas="c-libwrap">libwrap.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>