14.6 TCP Wrappers

Written by: Tom Rhodes.

每個熟 inetd(8) 的人幾乎都會聽過 TCP Wrappers 這個東西,但很少人能完全瞭解它在網路環境上的好用在哪。 大多數的人都會裝防火牆來保護網路,雖然,防火牆用途非常廣泛,但並非萬能。 例如:若打算回傳一段文字給連線來源者等之類的。而 TCP 軟體卻可以做到這點,還有其他更多事情。在以下段落內,我們將繼續介紹 TCP Wrappers 提供的功能,以及一些實際運用的例子。

TCP Wrappers 可以讓 inetd 所管理的每個 server daemon ,都會在 TCP Wrappers 的掌握之下。透過 TCP Wrappers 這種方式可以支援連線紀錄(logging) 、回傳一段文字給連線來源者、可以讓 daemon 只接受內部連線等等。 雖然其中部份功能用防火牆也可以做到,但 TCP Wrappers 不只是增加了一層保護,還提供了防火牆所辦不到的事情。

然而, 由 TCP Wrappers 所提供的這些額外安全功能, 不應該視為優秀防火牆的替代方案。應該結合 TCP Wrappers 及防火牆、其他加強安全措施來一併運用才對,這樣才可以為系統提供多層安全防護。

由於這些設定是主要針對 inetd 所提供的,所以我們建議您先參閱 inetd 設定 一節。

Note: 雖然 inetd(8) 所啟動的程式並非全部都是真正的 『daemons』,但一般來講,我們都還是會稱呼為『daemons』, 下面我們仍將使用這字眼來表達。

14.6.1 Initial Configuration

若要在 FreeBSD 中使用 TCP Wrappers 的話,只要確定 inetd 在啟動時,有在 /etc/rc.conf 加上 -Ww 的參數即可,這個設定在系統預設就有了。 當然還需要適當修改 /etc/hosts.allow 設定檔,但 syslogd(8) 仍會在系統 log 檔內,紀錄相關資料下來。

Note: FreeBSD 的 TCP Wrappers 實作方式與其他作業系統上的 TCP Wrappers 不太一樣,目前 FreeBSD 已經廢棄不用 /etc/hosts.deny ,而一律改用 /etc/hosts.allow

最簡單的設定方式是,每個對 daemon 的連線都由 /etc/hosts.allow 來決定是否允許或拒絕。 The default configuration in FreeBSD is to allow a connection to every daemon started with inetd. Changing this will be discussed only after the basic configuration is covered.

Basic configuration usually takes the form of daemon : address : action. Where daemon is the daemon name which inetd started. The address can be a valid hostname, an IP address or an IPv6 address enclosed in brackets ([ ]). The action field can be either allow or deny to grant or deny access appropriately. Keep in mind that configuration works off a first rule match semantic, meaning that the configuration file is scanned in ascending order for a matching rule. When a match is found the rule is applied and the search process will halt.

Several other options exist but they will be explained in a later section. A simple configuration line may easily be constructed from that information alone. For example, to allow POP3 connections via the mail/qpopper daemon, the following lines should be appended to hosts.allow:

# This line is required for POP3 connections:
qpopper : ALL : allow

加上上面這行之後,必須重新啟動 inetd。重新啟動的方式可以用 kill(1) 指令,或打『 /etc/rc.d/inetd restart 』 來完成。

14.6.2 Advanced Configuration

TCP Wrappers has advanced options too; they will allow for more control over the way connections are handled. In some cases it may be a good idea to return a comment to certain hosts or daemon connections. In other cases, perhaps a log file should be recorded or an email sent to the administrator. Other situations may require the use of a service for local connections only. This is all possible through the use of configuration options known as wildcards, expansion characters and external command execution. The next two sections are written to cover these situations. External Commands

Suppose that a situation occurs where a connection should be denied yet a reason should be sent to the individual who attempted to establish that connection. How could it be done? That action can be made possible by using the twist option. When a connection attempt is made, twist will be called to execute a shell command or script. An example already exists in the hosts.allow file:

# The rest of the daemons are protected.
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."

This example shows that the message, “You are not allowed to use daemon from hostname.” will be returned for any daemon not previously configured in the access file. This is extremely useful for sending a reply back to the connection initiator right after the established connection is dropped. Note that any message returned must be wrapped in quote " characters; there are no exceptions to this rule.

Warning: It may be possible to launch a denial of service attack on the server if an attacker, or group of attackers could flood these daemons with connection requests.

Another possibility is to use the spawn option in these cases. Like twist, the spawn implicitly denies the connection and may be used to run external shell commands or scripts. Unlike twist, spawn will not send a reply back to the individual who established the connection. For an example, consider the following configuration line:

# We do not allow connections from example.com:
ALL : .example.com \
    : spawn (/bin/echo %a from %h attempted to access %d >> \
      /var/log/connections.log) \
    : deny

This will deny all connection attempts from the *.example.com domain; simultaneously logging the hostname, IP address and the daemon which they attempted to access in the /var/log/connections.log file.

Aside from the already explained substitution characters above, e.g. %a, a few others exist. See the hosts_access(5) manual page for the complete list. Wildcard Options

Thus far the ALL example has been used continuously throughout the examples. Other options exist which could extend the functionality a bit further. For instance, ALL may be used to match every instance of either a daemon, domain or an IP address. Another wildcard available is PARANOID which may be used to match any host which provides an IP address that may be forged. In other words, paranoid may be used to define an action to be taken whenever a connection is made from an IP address that differs from its hostname. The following example may shed some more light on this discussion:

# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny

In that example all connection requests to sendmail which have an IP address that varies from its hostname will be denied.

Caution: Using the PARANOID may severely cripple servers if the client or server has a broken DNS setup. Administrator discretion is advised.

To learn more about wildcards and their associated functionality, see the hosts_access(5) manual page.

Before any of the specific configuration lines above will work, the first configuration line should be commented out in hosts.allow. This was noted at the beginning of this section.


若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢 <questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。