Re: TCP Wrappers on Linux (RedHat 6.2)

[Peter W <peterw@usa.net>]

On Wed, Aug 08, 2001 at 04:19:37PM -0400, Doyon, Jean-Francois wrote:

> I compiled with --enable-wrappers, and the configure did find tcpd.h OK ....
>
> But nothing seems to work right, no matter what I put in hosts.allow all
> connections are accepted!

> I switched the debugging to max (-1) and looked through the logs, but 
> didn't see anything indicating whether it tried to call libwrap.a or 
> anything like that. Everything seems to get accepted.

If you run with the -d command line option (where debugging output goes to 
your terminal) you would have seen a message about the denial (if it were 
denied, that is).

> I switched the debugging to max (-1) and looked through the logs, but didn't
> see anything indicating whether it tried to call libwrap.a or anything like
> that. Everything seems to get accepted.
> 
> libwrap.a is in /usr/lib, so I don't think it's a problem of not finding it!

since libwrap.a is a .a archive, and not a .so shared object, it should be 
compiled into the openldap code, and locating it is not a problem.

$ strings slapd | grep hosts.allow
/etc/hosts.allow

slapd looks for service name 'slapd'. You might want to use the 'tcpdchk' 
binary to verify that hosts.allow and hosts.deny are well-formed.

Another option might be using OS packet filter tools (Linux 
iptables/ipchains, Unix ipfilter, etc.) instead of compiling against 
libtcpd.a. I expect that using OS/kernel packet filtering might be more 
efficient than libwrap, especially if you already have packet filtering code 
loaded into your kernel.

-Peter