What are TCP Wrappers

TCP wrappers provide a means to control which IP addresses are allowed or not allowed to connect to services that you have enabled on your host such as Remote Login (ssh), Apple Remote Desktop (vnc), and Personal Web Sharing (www).

As with other Operating Systsems, MAC OS X uses the tcp daemon (tcpd) to implement this functionality¬† (see “man tcpd”).

How to Configure TCP Wrappers

In order to make use of tcp wrappers, you need to create two files in /etc called hosts.deny and hosts.allow (see samples below). Both files must be present in order for this to work. If you do not create these files, the entire Internet has access to the services you have enabled greatly lowering the security of your host.

In Terminal, after you become super user (likely by sudo -s), you may use your favorite text editor such as pico or vi to create the two files.

Sample /etc/hosts.deny

# hosts.deny This file describes the names of the hosts which are
# denied the use of local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
ALL: ALL:deny

Sample /etc/hosts.allow

# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.

Explanation of Sample Files

The “ALL: ALL:deny” statement in the /etc/hosts.deny files prevents all external hosts from accessing the host you created the files on.

Then we allow only those hosts we trust or need, to accomplish the task at hand. In the example above, only hosts on the 128.197.79 subnet are allowed to access the host. NOTE: There is a . after the 79; you need that in order for this to work. You can allow connections from all of the Boston University subnets by removing the entire .79 line and adding the following:

ALL: 128.197.
ALL: 168.122.
ALL: 155.144.

Keep in mind that this is a very broad range covering most of the Boston University campuses.  To refine this further, see our documentation on the Campus IP Address Space.

You can also limit access to only a few other hosts by adding an entry for only those IPs in the /etc/hosts.allow file as seen in the example below.


For more information, please consult www.hmug.org/UnixHowTos/index.php?tcpwrappers