svn commit: r44593 - head/en_US.ISO8859-1/books/handbook/security

Dru Lavigne dru at FreeBSD.org
Thu Apr 17 17:05:54 UTC 2014 

Author: dru
Date: Thu Apr 17 17:05:53 2014
New Revision: 44593
URL: http://svnweb.freebsd.org/changeset/doc/44593

Log:
  Editorial review of TCP Wrapper chapter.
  Change application name to singular.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Wed Apr 16 21:07:48 2014	(r44592)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu Apr 17 17:05:53 2014	(r44593)
@@ -51,7 +51,7 @@
       </listitem>
 
       <listitem>
-	<para>How to configure <acronym>TCP</acronym> Wrappers for use
+	<para>How to configure <application>TCP Wrapper</application> for use
 	  with &man.inetd.8;.</para>
       </listitem>
 
@@ -866,7 +866,7 @@ Enter secret pass phrase: <userinput>&lt
 
   <sect1 xml:id="tcpwrappers">
     <info>
-      <title>TCP Wrappers</title>
+      <title>TCP Wrapper</title>
 
       <authorgroup>
 	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
@@ -874,55 +874,61 @@ Enter secret pass phrase: <userinput>&lt
       </authorgroup>
     </info>
 
-    <indexterm><primary>TCP Wrappers</primary></indexterm>
+    <indexterm><primary>TCP Wrapper</primary></indexterm>
 
-    <para><acronym>TCP</acronym> Wrappers extends the abilities of
-      <xref linkend="network-inetd"/> to provide support for every
-      server daemon under its control.  It can be configured
-      to provide logging support, return messages to connections, and
-      permit a daemon to only accept internal connections.  While some
-      of these features can be provided by implementing a firewall,
-      <acronym>TCP</acronym> Wrappers adds an extra layer of
-      protection and goes beyond the amount of control a firewall can
-      provide.</para>
+    <para><application>TCP Wrapper</application> is a host-based
+      access control system which extends the abilities of
+      <xref linkend="network-inetd"/>.  It can be configured
+      to provide logging support, return messages, and
+      connection restrictions for the
+      server daemons under the control of
+      <application>inetd</application>.  Refer to &man.tcpd.8; for
+      more information about
+      <application>TCP Wrapper</application> and its features.</para>
 
-    <para><acronym>TCP</acronym> Wrappers should not be considered a
+    <para><application>TCP Wrapper</application> should not be considered a
       replacement for a properly configured firewall.
-      <acronym>TCP</acronym> Wrappers should be used in conjunction
-      with a firewall and other security enhancements.</para>
+      Instead, <application>TCP Wrapper</application> should be used in conjunction
+      with a firewall and other security enhancements in order to
+      provide another layer of protection in the implementation of a
+      security policy.</para>
 
     <sect2>
       <title>Initial Configuration</title>
 
-      <para>To enable <acronym>TCP</acronym> Wrappers in &os;, ensure
-	the &man.inetd.8; server is started from
-	<filename>/etc/rc.conf</filename> with
-	<option>-Ww</option>.  Then, properly configure
+      <para>To enable <application>TCP Wrapper</application> in &os;,
+	add the following lines to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>inetd_enable="YES"
+inetd_flags="-Ww"</programlisting>
+
+	<para>Then, properly configure
 	<filename>/etc/hosts.allow</filename>.</para>
 
       <note>
-	<para>Unlike other implementations of <acronym>TCP</acronym>
-	  Wrappers, the use of <filename>hosts.deny</filename> has
-	  been deprecated.  All configuration options should be placed
+	<para>Unlike other implementations of
+	  <application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is
+	  deprecated in &os;.  All configuration options should be placed
 	  in <filename>/etc/hosts.allow</filename>.</para>
       </note>
 
       <para>In the simplest configuration, daemon connection policies
-	are set to either be permitted or blocked depending on the
+	are set to either permit or block, depending on the
 	options in <filename>/etc/hosts.allow</filename>.  The default
-	configuration in &os; is to allow a connection to every daemon
-	started with &man.inetd.8;.</para>
+	configuration in &os; is to allow all connections to the daemons
+	started with <application>inetd</application>.</para>
 
       <para>Basic configuration usually takes the form of
 	<literal>daemon : address : action</literal>, where
-	<literal>daemon</literal> is the daemon which &man.inetd.8;
+	<literal>daemon</literal> is the daemon which <application>inetd</application>
 	started, <literal>address</literal> is a valid hostname,
 	<acronym>IP</acronym> address, or an IPv6 address enclosed in
 	brackets ([ ]), and <literal>action</literal> is either
 	<literal>allow</literal> or <literal>deny</literal>.
-	<acronym>TCP</acronym> Wrappers uses a first rule match
-	semantic, meaning that the configuration file is scanned in
-	ascending order for a matching rule.  When a match is found,
+	<application>TCP Wrapper</application> uses a first rule match
+	semantic, meaning that the configuration file is scanned
+	from the beginning for a matching rule.  When a match is found,
 	the rule is applied and the search process stops.</para>
 
       <para>For example, to allow <acronym>POP</acronym>3 connections
@@ -933,8 +939,8 @@ Enter secret pass phrase: <userinput>&lt
       <programlisting># This line is required for POP3 connections:
 qpopper : ALL : allow</programlisting>
 
-      <para>After adding this line, &man.inetd.8; needs to be
-	restarted:</para>
+      <para>Whenever this file is edited, restart
+	<application>inetd</application>:</para>
 
 	<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
     </sect2>
@@ -942,7 +948,7 @@ qpopper : ALL : allow</programlisting>
     <sect2>
       <title>Advanced Configuration</title>
 
-      <para><acronym>TCP</acronym> Wrappers provides advanced options
+      <para><application>TCP Wrapper</application> provides advanced options
 	to allow more control over the way connections are handled.
 	In some cases, it may be appropriate to return a comment to
 	certain hosts or daemon connections.  In other cases, a log
@@ -950,15 +956,12 @@ qpopper : ALL : allow</programlisting>
 	administrator.  Other situations may require the use of a
 	service for local connections only.  This is all possible
 	through the use of configuration options known as
-	<literal>wildcards</literal>, expansion characters and
+	wildcards, expansion characters, and
 	external command execution.</para>
 
-      <sect3>
-	<title>External Commands</title>
-
 	<para>Suppose that a situation occurs where a connection
 	  should be denied yet a reason should be sent to the
-	  individual who attempted to establish that connection.  That
+	  host who attempted to establish that connection.  That
 	  action is possible with <option>twist</option>.  When a
 	  connection attempt is made, <option>twist</option> executes
 	  a shell command or script.  An example exists in
@@ -970,9 +973,9 @@ ALL : ALL \
 	: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
 
 	<para>In this example, the message <quote>You are not allowed
-	    to use <literal>daemon</literal> from
-	    <literal>hostname</literal>.</quote> will be returned for
-	  any daemon not previously configured in the access file.
+	    to use <replaceable>daemon name</replaceable> from
+	    <replaceable>hostname</replaceable>.</quote> will be returned for
+	  any daemon not configured in <filename>hosts.allow</filename>.
 	  This is useful for sending a reply back to the connection
 	  initiator right after the established connection is dropped.
 	  Any message returned <emphasis>must</emphasis> be wrapped in
@@ -980,8 +983,8 @@ ALL : ALL \
 
 	<warning>
 	  <para>It may be possible to launch a denial of service
-	    attack on the server if an attacker, or group of
-	    attackers, could flood these daemons with connection
+	    attack on the server if an attacker
+	    floods these daemons with connection
 	    requests.</para>
 	</warning>
 
@@ -990,9 +993,9 @@ ALL : ALL \
 	  implicitly denies the connection and may be used to run
 	  external shell commands or scripts.  Unlike
 	  <option>twist</option>, <option>spawn</option> will not send
-	  a reply back to the individual who established the
+	  a reply back to the host who established the
 	  connection.  For example, consider the following
-	  configuration line:</para>
+	  configuration:</para>
 
 	<programlisting># We do not allow connections from example.com:
 ALL : .example.com \
@@ -1004,46 +1007,38 @@ ALL : .example.com \
 	    class="fqdomainname">*.example.com</systemitem> and log
 	  the hostname, <acronym>IP</acronym> address, and the daemon
 	  to which access was attempted to
-	  <filename>/var/log/connections.log</filename>.</para>
-
-	<para>This example uses the substitution characters
+	  <filename>/var/log/connections.log</filename>.  This example
+	  uses the substitution characters
 	  <literal>%a</literal> and <literal>%h</literal>.  Refer to
 	  &man.hosts.access.5; for the complete list.</para>
-      </sect3>
 
-      <sect3>
-	<title>Wildcard Options</title>
-
-	<para>The <literal>ALL</literal> option may be used to match
-	  every instance of a daemon, domain, or an
-	  <acronym>IP</acronym> address.  Another wildcard is
+	<para>To match every instance of a daemon, domain, or
+	  <acronym>IP</acronym> address, use <literal>ALL</literal>.  Another wildcard is
 	  <literal>PARANOID</literal> which may be used to match
 	  any host which provides an <acronym>IP</acronym> address
-	  that may be forged.  For example,
-	  <literal>PARANOID</literal> may be used to define an action
-	  to be taken whenever a connection is made from an
-	  <acronym>IP</acronym> address that differs from its
+	  that may be forged because the
+	  <acronym>IP</acronym> address differs from its resolved
 	  hostname.  In this example, all connection requests to
-	  &man.sendmail.8; which have an <acronym>IP</acronym> address
+	  <application>Sendmail</application> which have an <acronym>IP</acronym> address
 	  that varies from its hostname will be denied:</para>
 
 	<programlisting># Block possibly spoofed requests to sendmail:
 sendmail : PARANOID : deny</programlisting>
 
 	<caution>
-	  <para>Using the <literal>PARANOID</literal> wildcard may
-	    severely cripple servers if the client or server has a
-	    broken <acronym>DNS</acronym> setup.  Administrator
-	    discretion is advised.</para>
+	  <para>Using the <literal>PARANOID</literal> wildcard will
+	    result in denied connections if the client or server has a
+	    broken <acronym>DNS</acronym> setup.</para>
 	</caution>
 
 	<para>To learn more about wildcards and their associated
 	  functionality, refer to &man.hosts.access.5;.</para>
 
-	<para>Before any of the specific configuration lines above
-	  will work, the first configuration line should be commented
+      <note>
+	<para>When adding new configuration lines, make sure that any
+	  unneeded entries for that daemon are commented
 	  out in <filename>hosts.allow</filename>.</para>
-      </sect3>
+      </note>
     </sect2>
   </sect1>

More information about the svn-doc-head mailing list