Section: File Formats (5)
The extensible language uses the following format:
daemon_list : client_list : option : option ...
The first two fields are described in the hosts_access?(5) manual page. The remainder of the rules is a list of zero or more options. Any ":" characters within options should be protected with a backslash.
An option is of the form "keyword" or "keyword value". Options are processed in the specified order. Some options are subjected to %<letter> substitutions. For the sake of backwards compatibility with earlier versions, an "=" is permitted between keyword and value.
The allow and deny keywords make it possible to keep all access control rules within a single file, for example in the hosts.allow file.
To permit access from specific hosts only:
ALL: .friendly.domain: ALLOW
ALL: ALL: DENY
To permit access from all hosts except a few trouble makers:
ALL: .bad.domain: DENY
ALL: ALL: ALLOW
smtp : ALL : aclexec checkdnsbl %a
executes, in a background child process, the shell command "checkdnsbl %a" after replacing %a by the address of the remote host.
The connection will be allowed or refused depending on whether the command returns a true or false exit status.
spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
executes, in a background child process, the shell command "safe_finger -l @%h | mail root" after replacing %h by the name or address of the remote host.
The example uses the "safe_finger" command instead of the regular "finger" command, to limit possible damage from data sent by the finger server. The "safe_finger" command is part of the daemon wrapper package; it is a wrapper around the regular finger command that filters the data sent by the remote host.
To send a customized bounce message to the client instead of running the real ftp daemon:
in.ftpd : ... : twist /bin/echo 421 Some bounce message
For an alternative way to talk to client processes, see the banners option below.
To run /some/other/in.telnetd without polluting its command-line array or its process environment:
in.telnetd : ... : twist PATH=/some/other; exec in.telnetd
The tcp wrappers source code distribution provides a sample makefile (Banners.Makefile) for convenient banner maintenance.
Warning: banners are supported for connection-oriented (TCP) network services only.
Warning: many network daemons reset their environment before spawning a login or shell process.
Wietse Venema ([email protected]) Department of Mathematics and Computing Science Eindhoven University of Technology Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands
Tutoriais de Tecnologia Web