Daniel wrote: > Also any daemon application which cares to make library calls to the > wrapper library. I build sendmail with wrapper support. This permits me > another method for blocking spammers, especially if what I'm trying to > block is a large subnet from a spamhaus, or some such.
Peter wrote: > >Of course this has the same effect as a decent firewall but provides an > >additional depth to your security. Daniel wrote: > I use routers for first line, ipchains for second line, and tcp wrappers > for third line. The advantage of wrappers is the ability to deny based on > DNS naming, including anything within a domain. Changing ACLs in the router > is the least-preferred method since it is the most annoying to change and > have take effect, but it does cover all systems. Changes in ipchains are > next easier, but only IP address based (the way our setups work, at least). > So wrappers provides a useful level too. I think I understand. IP_chains can be considered as like a first-line filter and tcp_wrappers a second? I'm guessing that incoming traffic first is processed by IP_chains and then is passed on to ports where tcp_wrappers can pick it up if you are using it. Is that right? So I guess since you say Daniel, that you build sendmail with wrapper support you must not be running sendmail with inetd *and* you don't have to explicitly invoke tcp_wrappers through a command line or something. If I am correct with these assumsuptions I can see how you can use an IP_chains/tcp_wrappers combination to allow access for specific IP_addresses to some services on your network but not with others. That's interesting. Thanks. Also, "tcpd". Does the 'd' mean dameon? I guess that means you can constantly run tcp_wrappers? If so then why would you have to build the support into a particular service if it can always be running anyway? Maybe I'm a little confused about that.
