SUMMARY: block one IP with tcp wrappers

From: Christopher Barnard <>
Date: Tue Sep 14 2010 - 22:08:56 EDT
I asked

> I use the "mostly closed" philosophy of tcp wrappers on my Sun Solaris
> servers.  My etc/hosts.deny file is ALL:ALL and then I allow specific IP
> ranges and specific protocols with my /etc/hosts.allow file.  I have an
> interesting conundrum.  I  want to block one specific IP from connecting
> ssh, in this case), but I still want to allow the rest of the subnet.  I do
> not have access to the problem child in question, so I can only make
> on the destination host.
> Right now in my /etc/hosts.allow file is the rule
> sshd: 144.74.: severity
> I want to prohibit from connecting, but still allow the rest
> 144.74 to connect.  Can anyone think of a way to do this short of adding an
> "allow" entry for every IP in the hosts.allow file except for that one?

The answer:

EXCEPT is your friend.

In my /etc/hosts.allow I changed the rule to
sshd: 144.74. EXCEPT severity
and it works like a charm.

Several people has misconceptions about the tcpd access files. For every
connection, the hosts.allow file is processed first and hosts.deny second.  As
soon as a match is made, it is followed and no more parsing of the files is
done.  So having sshd:144.74. in the hosts.allow means that anything meeting
that definition would be allowed, regardless of the hosts.deny file contents.
The "except" does exactly what it sounds like -- it ignores the rule to see if
there are subsequent matches... like the deny ALL:ALL In the hosts.deny file.

Several people also mentioned using ipfilter / iptables instead, since that is
installed wtih Solaris 10.  It is, and I use it (on my linux boxes too).  But
this particular problem was Solaris 9 and Solaris 8 where tcp wrappers had
already been built and deployed.  Since most of these servers are EOL, I
figured it is not worthwhile to port iptables to a server that will go away in
six months or so ...

Thanks to
 	Andrew Brennan <>
 	Ric Anderson <ric@Opus1.COM>
 	Stier, Matthew <>
	Francisco Puente <>
	Chris Hoogendyk <>
 	Juraj Lutter <>
 	Emmanuel Mejias <>
 	Emmanuel Mejias <>
	Belford, Joseph A II CTR USAF ACC 82 CSS/SCOG
 	Chris C <>
 	Hackett, Peter <>
 	Batey, Everett II NAVSEA <>
 	D. Ratliff <>
	Karl Vogel <>

Christopher L. Barnard
comment your code as if the maintainer is a homicidal maniac who knows where
you live.
sunmanagers mailing list
Received on Tue Sep 14 22:10:09 2010

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:17 EST