Very Computer

Is a tcp wrapper software same as ipchains? Could someone explain the
functionality of tcp wrapper, incase it is different than ipchains?

Sanjay

tcp wrappers is a program that checks who the remote host is, and decides
weather or not to allow it to connect to the daemon it's protecting. This
is different from ipchains in that you can allow or deny access on a per
daemon basis. ipchains will deny all packets to or from a host if you set
it up that way, whereas tcp wrappers only concerns incoming connections.

-- PC^God --

Of course you can configure ipchains to deny or reject connections from
certain hosts and/or networks to certain ports, (or more usually from all
except certain networks and/or certain hosts to certain ports). It is
inherently more secure than tcp wrappers alone, because not all daemons
are compiled to use tcp wrappers, whereas ipchains, operating at the
kernel level, is not bothered on what the daemon thinks...

I was going to say, 'tcp wrappers' is not just a program, it's a library...

As well as all the above, tcp wrappers allow you to do per-user checking
with identd (eurgh - especially as identd normally runs under tcpd too!!)
and execute commands when tripped, neither of which ipchains does.

Stupid question: is there any kind of application firewall for linux other
than tcpd as above, e.g. something that can grok http and telnet and X to
non-standard ports?

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

Quote:> Stupid question: is there any kind of application firewall for linux other
> than tcpd as above, e.g. something that can grok http and telnet and X to
> non-standard ports?

> ~Tim
> --

ipmasqadm....

fuzzy spewed forth:

Quote:>> Stupid question: is there any kind of application firewall for linux other
>> than tcpd as above, e.g. something that can grok http and telnet and X to
>> non-standard ports?

>> ~Tim
>> --

f>ipmasqadm....

IIRC, tcp wrappers can be used on any daemon that's started by inetd.  Which
generally *isn't* httpd or X.  But I think it's irrelevant what port the
daemon is listening on.  Or am I misreading the question and you *aren't*
asking about telnetd listening on something other than 23?

--
"Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so."
                  -Douglas Adams

tcpwrappers can do things which (AFAIK) ipchains can do.  First it
can base actions on the results of DNS lookups if you so desire -
do you can reject connections from people who don't have reverse
DNS entries. Second, it can do ident lookups and log the result of
the lookup for you. It can also set environment variables or run
other programs in response to matched connections. Finally, it can
do uniform logging of all connections to daemons run from inetd.

Packet filtering and tcp wrappers do similar jobs at different
levels and are more of a compliment to one another than alternatives.

        David.

I was thinking of something where I can have rules like,

        if it's an outgoing HTTP request for a .ram file, kill it stone dead

        if it's X between 192.168.99.2 and the outside world, block it

        if it's 'tunnelv's[1] protocol between any outside world and my
        ppp0's IP#, allow it

        if it's postgresql's comms layer only allow it to 5432

and so on. The point being, all the above have easily-variable ports with
only typical defaults in /etc/services, particularly the latter two.

[1] www.worldvision.ca, or is it worldvisions? One of those things. Quite
a useful NAT toy.

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

Apologies to the folks that are familiar with all this.  Hopefully it'll
be useful to the newer people.

Here's the short desc of tcp_wrappers from ftp.porcupine.org

          Wietse Venema's network logger, also known as TCPD or LOG_TCP.
          These programs log the client host name of incoming telnet,
          ftp, rsh, rlogin, finger etc. requests. Security options are:
          access control per host, domain and/or service; detection of
          host name spoofing or host address spoofing; *y traps to
          implement an early-warning system. The current version supports
          the System V.4 TLI network programming interface (Solaris,
          DG/UX) in addition to the traditional BSD sockets.

Also, from the tcp_wrappers README

        The tcpd program can be used to monitor the telnet, finger, ftp,
        exec, rsh, rlogin, tftp, talk, comsat and other tcp or udp services
        that have a one-to-one mapping onto executable files.

        The tcpd program can also be used for services that are marked as
        rpc/udp in the inetd configuration file, but not for rpc/tcp services
        such as rexd.  You probably do not want to run rexd anyway. On most
        systems it is even less secure than a wildcard in /etc/hosts.equiv.

--
"Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so."
                  -Douglas Adams

Another program similar to tcpwrappers is tcpserver, which is part
of Dan Bernstein's daemontools package.  http://www.veryComputer.com/

--

Unsolicited bulk email charge:   $500/message.   Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8  43C8 7AD2 B485 DE75 841C