svn commit: r44593 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Thu Apr 17 17:05:54 UTC 2014
Author: dru
Date: Thu Apr 17 17:05:53 2014
New Revision: 44593
URL: http://svnweb.freebsd.org/changeset/doc/44593
Log:
Editorial review of TCP Wrapper chapter.
Change application name to singular.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 16 21:07:48 2014 (r44592)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 17:05:53 2014 (r44593)
@@ -51,7 +51,7 @@
</listitem>
<listitem>
- <para>How to configure <acronym>TCP</acronym> Wrappers for use
+ <para>How to configure <application>TCP Wrapper</application> for use
with &man.inetd.8;.</para>
</listitem>
@@ -866,7 +866,7 @@ Enter secret pass phrase: <userinput><
<sect1 xml:id="tcpwrappers">
<info>
- <title>TCP Wrappers</title>
+ <title>TCP Wrapper</title>
<authorgroup>
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
@@ -874,55 +874,61 @@ Enter secret pass phrase: <userinput><
</authorgroup>
</info>
- <indexterm><primary>TCP Wrappers</primary></indexterm>
+ <indexterm><primary>TCP Wrapper</primary></indexterm>
- <para><acronym>TCP</acronym> Wrappers extends the abilities of
- <xref linkend="network-inetd"/> to provide support for every
- server daemon under its control. It can be configured
- to provide logging support, return messages to connections, and
- permit a daemon to only accept internal connections. While some
- of these features can be provided by implementing a firewall,
- <acronym>TCP</acronym> Wrappers adds an extra layer of
- protection and goes beyond the amount of control a firewall can
- provide.</para>
+ <para><application>TCP Wrapper</application> is a host-based
+ access control system which extends the abilities of
+ <xref linkend="network-inetd"/>. It can be configured
+ to provide logging support, return messages, and
+ connection restrictions for the
+ server daemons under the control of
+ <application>inetd</application>. Refer to &man.tcpd.8; for
+ more information about
+ <application>TCP Wrapper</application> and its features.</para>
- <para><acronym>TCP</acronym> Wrappers should not be considered a
+ <para><application>TCP Wrapper</application> should not be considered a
replacement for a properly configured firewall.
- <acronym>TCP</acronym> Wrappers should be used in conjunction
- with a firewall and other security enhancements.</para>
+ Instead, <application>TCP Wrapper</application> should be used in conjunction
+ with a firewall and other security enhancements in order to
+ provide another layer of protection in the implementation of a
+ security policy.</para>
<sect2>
<title>Initial Configuration</title>
- <para>To enable <acronym>TCP</acronym> Wrappers in &os;, ensure
- the &man.inetd.8; server is started from
- <filename>/etc/rc.conf</filename> with
- <option>-Ww</option>. Then, properly configure
+ <para>To enable <application>TCP Wrapper</application> in &os;,
+ add the following lines to
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>inetd_enable="YES"
+inetd_flags="-Ww"</programlisting>
+
+ <para>Then, properly configure
<filename>/etc/hosts.allow</filename>.</para>
<note>
- <para>Unlike other implementations of <acronym>TCP</acronym>
- Wrappers, the use of <filename>hosts.deny</filename> has
- been deprecated. All configuration options should be placed
+ <para>Unlike other implementations of
+ <application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is
+ deprecated in &os;. All configuration options should be placed
in <filename>/etc/hosts.allow</filename>.</para>
</note>
<para>In the simplest configuration, daemon connection policies
- are set to either be permitted or blocked depending on the
+ are set to either permit or block, depending on the
options in <filename>/etc/hosts.allow</filename>. The default
- configuration in &os; is to allow a connection to every daemon
- started with &man.inetd.8;.</para>
+ configuration in &os; is to allow all connections to the daemons
+ started with <application>inetd</application>.</para>
<para>Basic configuration usually takes the form of
<literal>daemon : address : action</literal>, where
- <literal>daemon</literal> is the daemon which &man.inetd.8;
+ <literal>daemon</literal> is the daemon which <application>inetd</application>
started, <literal>address</literal> is a valid hostname,
<acronym>IP</acronym> address, or an IPv6 address enclosed in
brackets ([ ]), and <literal>action</literal> is either
<literal>allow</literal> or <literal>deny</literal>.
- <acronym>TCP</acronym> Wrappers uses a first rule match
- semantic, meaning that the configuration file is scanned in
- ascending order for a matching rule. When a match is found,
+ <application>TCP Wrapper</application> uses a first rule match
+ semantic, meaning that the configuration file is scanned
+ from the beginning for a matching rule. When a match is found,
the rule is applied and the search process stops.</para>
<para>For example, to allow <acronym>POP</acronym>3 connections
@@ -933,8 +939,8 @@ Enter secret pass phrase: <userinput><
<programlisting># This line is required for POP3 connections:
qpopper : ALL : allow</programlisting>
- <para>After adding this line, &man.inetd.8; needs to be
- restarted:</para>
+ <para>Whenever this file is edited, restart
+ <application>inetd</application>:</para>
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
</sect2>
@@ -942,7 +948,7 @@ qpopper : ALL : allow</programlisting>
<sect2>
<title>Advanced Configuration</title>
- <para><acronym>TCP</acronym> Wrappers provides advanced options
+ <para><application>TCP Wrapper</application> provides advanced options
to allow more control over the way connections are handled.
In some cases, it may be appropriate to return a comment to
certain hosts or daemon connections. In other cases, a log
@@ -950,15 +956,12 @@ qpopper : ALL : allow</programlisting>
administrator. Other situations may require the use of a
service for local connections only. This is all possible
through the use of configuration options known as
- <literal>wildcards</literal>, expansion characters and
+ wildcards, expansion characters, and
external command execution.</para>
- <sect3>
- <title>External Commands</title>
-
<para>Suppose that a situation occurs where a connection
should be denied yet a reason should be sent to the
- individual who attempted to establish that connection. That
+ host who attempted to establish that connection. That
action is possible with <option>twist</option>. When a
connection attempt is made, <option>twist</option> executes
a shell command or script. An example exists in
@@ -970,9 +973,9 @@ ALL : ALL \
: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
<para>In this example, the message <quote>You are not allowed
- to use <literal>daemon</literal> from
- <literal>hostname</literal>.</quote> will be returned for
- any daemon not previously configured in the access file.
+ to use <replaceable>daemon name</replaceable> from
+ <replaceable>hostname</replaceable>.</quote> will be returned for
+ any daemon not configured in <filename>hosts.allow</filename>.
This is useful for sending a reply back to the connection
initiator right after the established connection is dropped.
Any message returned <emphasis>must</emphasis> be wrapped in
@@ -980,8 +983,8 @@ ALL : ALL \
<warning>
<para>It may be possible to launch a denial of service
- attack on the server if an attacker, or group of
- attackers, could flood these daemons with connection
+ attack on the server if an attacker
+ floods these daemons with connection
requests.</para>
</warning>
@@ -990,9 +993,9 @@ ALL : ALL \
implicitly denies the connection and may be used to run
external shell commands or scripts. Unlike
<option>twist</option>, <option>spawn</option> will not send
- a reply back to the individual who established the
+ a reply back to the host who established the
connection. For example, consider the following
- configuration line:</para>
+ configuration:</para>
<programlisting># We do not allow connections from example.com:
ALL : .example.com \
@@ -1004,46 +1007,38 @@ ALL : .example.com \
class="fqdomainname">*.example.com</systemitem> and log
the hostname, <acronym>IP</acronym> address, and the daemon
to which access was attempted to
- <filename>/var/log/connections.log</filename>.</para>
-
- <para>This example uses the substitution characters
+ <filename>/var/log/connections.log</filename>. This example
+ uses the substitution characters
<literal>%a</literal> and <literal>%h</literal>. Refer to
&man.hosts.access.5; for the complete list.</para>
- </sect3>
- <sect3>
- <title>Wildcard Options</title>
-
- <para>The <literal>ALL</literal> option may be used to match
- every instance of a daemon, domain, or an
- <acronym>IP</acronym> address. Another wildcard is
+ <para>To match every instance of a daemon, domain, or
+ <acronym>IP</acronym> address, use <literal>ALL</literal>. Another wildcard is
<literal>PARANOID</literal> which may be used to match
any host which provides an <acronym>IP</acronym> address
- that may be forged. For example,
- <literal>PARANOID</literal> may be used to define an action
- to be taken whenever a connection is made from an
- <acronym>IP</acronym> address that differs from its
+ that may be forged because the
+ <acronym>IP</acronym> address differs from its resolved
hostname. In this example, all connection requests to
- &man.sendmail.8; which have an <acronym>IP</acronym> address
+ <application>Sendmail</application> which have an <acronym>IP</acronym> address
that varies from its hostname will be denied:</para>
<programlisting># Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny</programlisting>
<caution>
- <para>Using the <literal>PARANOID</literal> wildcard may
- severely cripple servers if the client or server has a
- broken <acronym>DNS</acronym> setup. Administrator
- discretion is advised.</para>
+ <para>Using the <literal>PARANOID</literal> wildcard will
+ result in denied connections if the client or server has a
+ broken <acronym>DNS</acronym> setup.</para>
</caution>
<para>To learn more about wildcards and their associated
functionality, refer to &man.hosts.access.5;.</para>
- <para>Before any of the specific configuration lines above
- will work, the first configuration line should be commented
+ <note>
+ <para>When adding new configuration lines, make sure that any
+ unneeded entries for that daemon are commented
out in <filename>hosts.allow</filename>.</para>
- </sect3>
+ </note>
</sect2>
</sect1>
More information about the svn-doc-head
mailing list