At 01:23 PM 11/21/01, Rick Hoffman wrote: >Daniel wrote: > > Also any daemon application which cares to make library calls to the > > wrapper library. I build sendmail with wrapper support. This permits me > > another method for blocking spammers, especially if what I'm trying to > > block is a large subnet from a spamhaus, or some such. > >Peter wrote: > > >Of course this has the same effect as a decent firewall but provides an > > >additional depth to your security. > >Daniel wrote: > > I use routers for first line, ipchains for second line, and tcp wrappers > > for third line. The advantage of wrappers is the ability to deny based on > > DNS naming, including anything within a domain. Changing ACLs in the > router > > is the least-preferred method since it is the most annoying to change and > > have take effect, but it does cover all systems. Changes in ipchains are > > next easier, but only IP address based (the way our setups work, at > least). > > So wrappers provides a useful level too. > >I think I understand. IP_chains can be considered as like a first-line >filter and tcp_wrappers a second? I'm guessing that incoming traffic first >is processed by IP_chains and then is passed on to ports where tcp_wrappers >can pick it up if you are using it. Is that right?
That's how I use it and view it. IP chains works at the packet level as packets arrive from interfaces or are delivered to interfaces. TCP Wrappers gets involved when connections are established, but is not involved on a packet-by-packet basis. >So I guess since you say Daniel, that you build sendmail with wrapper >support you must not be running sendmail with inetd *and* you don't have to >explicitly invoke tcp_wrappers through a command line or something. Any application which uses the Wrappers library can get the benefits of wrappers without having to invoke via inetd or equivalent. In the case of sendmail, running from inetd isn't really practical (its not impossible, but really not generally done or recommended). By building with wrappers, I can explicitly allow or block whatever I wish. If I don't want to receive mail from a particular host, I can put that into /etc/hosts.allow. In reality, I could also add IP chains filters in many cases as well. In the sendmail case, I can also use the access.db within sendmail for much of this. There are many ways to approach this issue. >If I am correct with these assumsuptions I can see how you can use an >IP_chains/tcp_wrappers combination to allow access for specific IP_addresses >to some services on your network but not with others. Yep. >That's interesting. Thanks. > >Also, "tcpd". Does the 'd' mean dameon? I guess that means you can >constantly >run tcp_wrappers? If so then why would you have to build the support into >a particular service if it can always be running anyway? Maybe I'm a little >confused about that. Daemon (correcting your spelling). Yes that's what the 'd' is for. Running constantly? No. The tcpd gets launched by inetd or xinetd. ----------------------------------------------------------------- Daniel Senie [EMAIL PROTECTED] Amaranth Networks Inc. http://www.amaranth.com
