•list>— A comma separated list of hostnames, host IP addresses, specialpatterns(refer toSection 2.1.2, “Patterns”), or special wildcards (refer toSection 2.1.1, “Wildcards”)which identify the hosts effected by the rule. The client list also accepts operators listed inSection 2.1.4, “Operators”to allow greater flexibility.•— An optional action or colon separated list of actions performed when the rule istriggered. Option fields supportexpansions(refer toSection 2.2.4, “Expansions”), launch shellcommands, allow or deny access, and alter logging behavior (refer toSection 2.2, “OptionFields”).The following is a basic sample hosts access rule:vsftpd:.example.comThis rule instructs TCP wrappers to watch for connections to the FTP daemon (vsftpd) fromany host in theexample.comdomain. If this rule appears inhosts.allow, the connection isaccepted. If this rule appears inhosts.deny, the connection is rejected.The next sample hosts access rule is more complex and uses two option fields:sshd:.example.com \ :spawn /bin/echo `/bin/date` accessdenied>>/var/log/sshd.log \ : denyNote that each option field is preceded by the backslash (\). Use of the backslash preventsfailure of the rule due to length.This sample rule states that if a connection to the SSH daemon (sshd) is attempted from a hostin theexample.comdomain, execute theechocommand (which logs the attempt to a specialfile), and deny the connection. Because the optionaldenydirective is used, this line deniesaccess even if it appears in thehosts.allowfile. For a more detailed look at available options,refer toSection 2.2, “Option Fields”.2.1.1. WildcardsWildcards allow TCP wrappers to more easily match groups of daemons or hosts. They areused most frequently in the client list field of access rules.The following wildcards may be used:•ALL— Matches everything. It can be used for both the daemon list and the client list.•LOCAL— Matches any host that does not contain a period (.), such as localhost.•KNOWN— Matches any host where the hostname and host address are known or where theuser is known.Chapter 17. TCP Wrappers and ...312
