This is an old revision of this page, as edited by Davidhorman (talk | contribs) at 09:51, 14 September 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Revision as of 09:51, 14 September 2006 by Davidhorman (talk | contribs)(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)Developer(s) | Wietse Venema |
---|---|
Stable release | v0.7.6 |
Operating system | Unix-like |
Type | Security |
License | BSD |
Website |
TCP Wrapper is a host-based network ACL system, used to filter network access to Internet protocol services run on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP adresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes. The name Wrapper is a reference to the wrapper design pattern (of the 'tcpd' program included).
The original code was written by Wietse Venema at the Eindhoven University of Technology, The Netherlands, between 1990 and 1995. As of June 1, 2001 the program is released under its own BSD-style license.
The tarball includes a library named libwrap that implements the actual functionality. Initially only services that start from a super-server (such as inetd) got wrapped, utilizing the 'tcpd' program. However most common network service daemons today can be linked against libwrap directly, and thus honor TCP Wrapper ACLs even when in stand-alone operating mode.
Over host access control directives often found in daemons' configuration files, TCP Wrappers have the benefit of runtime ACL reconfiguration (i.e. services don't have to be reloaded or restarted) and a generic approach to network administration.
While originally written to protect TCP and UDP accepting services, examples of usage to filter on certain ICMP packets (such as 'pingd' – the userspace ping request responder) exist too.
Services that grab the socket after being started by a super-server (for performance reasons on consecutive connects – usually multithreaded applications such as: Peter Anvin's tftpd and Peter Eriksson's identd), have to be linked against libwrap rather than wrapped (by tcpd, xinetd, or similar) as otherwise only the first connection attempt gets checked against its ACLs.
The project is usually referred to as TCP Wrappers and is named tcp-wrappers in the Gentoo Linux portage package repository. In Gentoo Linux TCP Wrappers is enabled with the 'tcpd' use-flag.
See also
References
- Wietse Venema: TCP WRAPPER Network monitoring, access control, and booby traps. July 15 1992
- Lee Brotzman: Wrap a Security Blanket Around Your Computer Linuxjournal article 1997-08-01