2.12 Configure TCP Wrappers - hosts.allow


NOTE: Update the value of HOSTS_ALLOW_NETWORK with the appropriate value for the local environment.


To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo "ALL: <net>/<mask>, <net>/<mask>" > /etc/hosts.allow
where each <net>/<mask> combination (for example, the Class C address block "") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo "ALL: ALL" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind

The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.

See Also


Item Details


References: 800-53|SC-7(5)

Plugin: Unix

Control ID: aa509fbf71d915d32f239fff2059d8c099a68262391c7d0cae82415813717091