Manualshelf

HP-UX Internet Services Administrator's Guide (May 2010)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software
31323334353637383940
Access Control
TCP wrappers uses the files /etc/hosts.allow and /etc/hosts.deny as Access
Control Lists (ACLs). These access control files are used to match the client and server
entries with the service request. These files are based on pattern matching and can be
extended via optional extensions such as allowing spawning of a shell command.
Each access control file consists of a set of access control rules for different services that
use tcpd.
An access control rule is of the following form:
daemon_list:client_list:option:option:...
daemon_list
Specifies the list of daemons.
client_list
Specifies the list of clients for which the access control rule is
applicable. Each list is a set of items separated by a space. A client
in the client_list specifies the name or address of a host
requesting a service.
option
Specifies a list of options. Options are separated by a colon.
The access control files are /etc/hosts.allow and /etc/hosts.deny. If you do
not create these files, and specify the daemon-client pair for granting or denying access,
the access control is disabled. The access control module reads these files in the following
order, before granting or denying access to any service:
1. The /etc/hosts.allow file – If a daemon-client pair matches an entry in this
file, access is granted.
2. The /etc/hosts.deny file If a daemon-client pair matches an entry in this file,
access is denied.
3. If a daemon-client pair match is not found in either of the access control files, access
is granted.
Following are examples of different entries in the files /etc/hosts.allow and
/etc/hosts.deny:
1. To grant access to the ftp service to all the users, specify the following entry in
the /etc/hosts.allow file:
ftpd:ALL
2. To deny access to the host blue.rainbow.com and all hosts in the domain
rainbow.com to all the services, specify the following entry in the
/etc/hosts.deny file:
ALL:blue.rainbow.com, .rainbow.com
3. To grant the telnet service to all the hosts in the domain xyz.com except the
host abc.xyz.com, specify the following entry in the /etc.hosts.allow file:
telnetd:.xyz.com EXCEPT abc.xyz.com
38 TCP Wrappers