TCP Wrappers

TCP Wrappers is a freely available IP packet filtering facility written by Wieste Venema. It provides for greater and more specific control over local network services and which hosts are allowed to access them. It also makes use of the standard syslog facility to track local network use. Although it was written many years ago and has not changed much over time, TCP Wrappers remains useful because it can be configured quickly and easily, and it adds an additional layer of protection even when used in conjunction with more robust packet filters (like iptables).

How Services Use TCP Wrappers

There are two main ways TCP Wrappers can be used by a service, depending on how that service is started. Some services are controlled by the inetd program, which starts a service when a connection comes in and stops it when that connection is terminated. TCP Wrappers comes with a program called tcpd that can be inserted into the inetd configuration (in a file called /etc/inetd.conf), allowing any inetd service to be wrapped. Some versions of inetd, including xinetd and the inetds that come with newer versions of Solaris and the BSDs, have built-in support for TCP Wrappers and do not need tcpd.

One example of an inetd service is telnetd. It is started by inetd, and its startup parameters can be configured in /etc/inetd.conf.

Other services are started when the system boots and continue running indefinitely, handling their own connections. These services do not use inetd and are often called stand-alone services. They can only be wrapped if they have support for TCP Wrappers built in and are linked against the libwrap library.

The sshd service is an example of a stand-alone service. Most brands of sshd have built-in TCP Wrappers support.

Where to Get TCP Wrappers

Note: Solaris 9 and beyond, most Linux and BSD distributions, and Mac OS X have TCP Wrappers configured to run out-of-the-box, so this section can be skipped on those platforms.

The Unix Systems Support Group provides source packages for TCP Wrappers. This local distribution site is especially useful when using a private IP address on a university campus. You can also get TCP Wrappers from Wietse's FTP site. Follow the instructions in the source package to build and install TCP Wrappers.

Once installed, TCP Wrappers will do all its logging via syslog according to your /etc/syslog.conf file. The following table lists the standard locations where messages from TCP Wrappers will appear:

Operating System Path
AIX /var/adm/messages
*BSD /var/log/messages
HP/UX /usr/spool/mqueue/syslog
Irix /var/adm/SYSLOG
Linux /var/log/messages
Mac OS X /var/log/system.log
Solaris /var/log/syslog

Wrapping Stand-alone Services

Stand-alone services with TCP Wrappers support don't need to be started any differently; they're always wrapped. Simply follow the instructions under Installing the Access Control Files to control access to these services.

A stand-alone service that does not support TCP Wrappers cannot be wrapped at all. See the documentation for the service to find out if TCP Wrappers support can be enabled at compile time.

Wrapping inetd Services

How inetd services are wrapped varies greatly depending on the version of inetd. We cover several below.

Traditional inetd

If your system does not have TCP Wrappers built in or if you are using standard inetd on most Linux distributions, your configuration will have to use the tcpd program that is part of TCP Wrappers to wrap inetd services.

In order to wrap an inetd service, you simply change its entry in /etc/inetd.conf so that tcpd is executed. For example, to wrap telnetd, change

telnet  stream  tcp  nowait  root  /usr/sbin/in.telnetd  in.telnetd


telnet  stream  tcp  nowait  root  /usr/sbin/tcpd in.telnetd