Friday, February 19, 2010

tcp_wrappers hostfile_match

TCP Wrapper, written by Wietse Venema known for his work Postfix, is used by many service daemons on Unix to allow or deny access based on the host that initiates the connection to the service. You specify the client origin to be matched by inverse domain name lookup, by its IP address, or by its netgroup membership. It is present on many unices, such as Linux, BSD, as well as Mac OS X. Furthermore, on some unices such as FreeBSD, NetBSD, and Red Hat Linux, tcp wrapper supports specifying a file in place of the client match pattern list. This allows you to put a list of client matches in a separate file, avoiding clutter in the host access control list.

Here is a little known secret. The official tcp_wrappers_7.6.tar.gz---the latest, which had not been updated since 1997---did not support this feature. The feature apparently first appeared in FreeBSD. However, most prominently, neither Mac OS X nor OpenBSD support it. Most distributions have their own patch set to add modern features to tcp wrapper, such as IPv6 support and various bug fixes, but these patch sets never made it to upstream. IPv6 support was introduced in a fork created by Casper Dik, endorsed by Wietse but packaged separately. This fork does not have the file match feature.

To tell if your system supports the file match feature, find the tcp wrapper source file for your distribution, and look for the function hostfile_match in hosts_access.c. You might find it easier to check your man 5 hosts_access and see if it mentions "a string that begins with a '/' character is treated as a file name."

Update (9/26/2012): according to opensource.apple.com, tcp_wrappers is present up to Mac OS X 10.7.4 but appears to be missing from 10.8. Also, the proper syntax for IPv6 address/netmask is [fe80::/10], not [fe80::]/10.

No comments: