Socket Wrappers Address Notation |
|||
| Socket_wrappers should be pretty easy to setup. Just do a
and then a
Alternately, you could do
and then install the rpm. It uses the same configuration file as tcp_wrappers, /etc/hosts.allow and /etc/hosts.deny. The basic configuration is either the server's executable name or the service name followed by a colon, then a list of addresses or networks separated by a space. (You can make very fancy tcp_wrappers configurations, but I don't want to cover that topic here.) To show the variety of ways that addresses may be expressed, we will go over some examples using the chargen service. If you are using xinetd, you may have problems testing internal services unless you are running 2.3.10 or the latest out of xinetd cvs. You may use address names -
Fully Qualified Domain Names -
Partial Domains will match all subdomains
IPv4 Addresses -
IPv6 Addresses:
IPv4 networks -
IPv4 Subnets:
IPv6 Subnets:
And of course with socket_wrapper 7.6e or later, you can combine them on one line -
Special Note: IPv6 is designed to be backwards compatible with IPv4. If you have a machine configured only for IPv6, IPv4 connections are still allowed. The kernel will map the addresses into the IPv6 address space by adding ::ffff: infront of the IPv4 part. So 192.168.1.2 would be [::ffff:192.168.1.2] in IPv6 notation. The current implementation of socket wrappers does not mix IPv6 & IPv4. If you want an IPv4 address allowed or denied on a pure IPv6 machine, you have to specify its IPv6 mapped address. For example, on a pure IPv6 machine wanting to allow the 192.168.1 network, you would use the following notation:
Its not clear that mixing IPv4 & IPv6 automatically is a Good Thing. Until a consensus has been developed, I'm not going to mix them. Please give the IPv6 and IPv4 protocol independant versions a whirl and please let me know of any problems. This page was last updated: 10 March, 2003 |
|||