tcp wrapper vs xinetd

Hello all.

I've got the feeling that people prefer to use tcpwrappers instead of xinetd
for controlling the acces to the services. But I think xinetd is better for
that for many reasons.

I was wondering if the reasons for people to prefer tcpwrapper was because
there are used to it since the previous versions of Linux with
inetd/tcpwrapper ?

Can you explain why it could be better to use tcpwrappers ?

Thanks for your answers.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tibo <(E-Mail Removed)> wrote:
> Hello all.

> I've got the feeling that people prefer to use tcpwrappers instead of xinetd
> for controlling the acces to the services. But I think xinetd is better for
> that for many reasons.

> I was wondering if the reasons for people to prefer tcpwrapper was because
> there are used to it since the previous versions of Linux with
> inetd/tcpwrapper ?

> Can you explain why it could be better to use tcpwrappers ?

Mh, you might like to read up a little bit more about
xinetd/tcp_wrapper, since every service running from xinetd (if
this is compiled with tcpwrapper) will use tcp_wrapper.

- --
Michael Heiming (GPG-Key ID: 0xEDD27B94)

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of spam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAJ55aAkPEju3Se5QRAnGiAKDIkEL0MRzhUzZdYQwAmw zYo0X8RQCdEuoA
bDf6hAG1I6nZUp4ArWOE21U=
=qrA9
-----END PGP SIGNATURE-----

"Michael Heiming" <michael+(E-Mail Removed)> a écrit dans le message de
news:(E-Mail Removed)...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mh, you might like to read up a little bit more about
> xinetd/tcp_wrapper, since every service running from xinetd (if
> this is compiled with tcpwrapper) will use tcp_wrapper.
>
> - --
> Michael Heiming (GPG-Key ID: 0xEDD27B94)
>

Hello again ! :-)

Do you mean that tcpwrappers and xinetd are complementary ?

Strange for me cause I've seen that xinetd does the same as tcpwrapper,
control on the source adress.

Another thing, tcpwrapper is not implemented with xinetd on my version of
linux (mdk 9.2), when I try to put a line in hosts.allow or hosts.deny,
nothing happens...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tibo <(E-Mail Removed)> wrote:

> "Michael Heiming" <michael+(E-Mail Removed)> a ?crit dans le message de
> news:(E-Mail Removed)...
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mh, you might like to read up a little bit more about
> > xinetd/tcp_wrapper, since every service running from xinetd (if
> > this is compiled with tcpwrapper) will use tcp_wrapper.

[..]

> Strange for me cause I've seen that xinetd does the same as tcpwrapper,
> control on the source adress.

> Another thing, tcpwrapper is not implemented with xinetd on my version of
> linux (mdk 9.2), when I try to put a line in hosts.allow or hosts.deny,
> nothing happens...

Yep, as written xinetd needs to be compiled with libwrap support
to get this working, run 'strings' on the binary and see what
info you get.

- From "./configure --help" (xinted sources).

- --with-libwrap=PATH Compile in libwrap (tcp_wrappers) support.

Good luck

- --
Michael Heiming (GPG-Key ID: 0xEDD27B94)

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of spam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAKPW3AkPEju3Se5QRAtIZAKCEokyht+E2m+u9aVlKkP uLy69N3gCgymkv
nMA2GdvvER+AL5OaOsBuJxw=
=GTg4
-----END PGP SIGNATURE-----

"tibo" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) ws.com>...
> "Michael Heiming" <michael+(E-Mail Removed)> a écrit dans le message de
> news:(E-Mail Removed)...
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mh, you might like to read up a little bit more about
> > xinetd/tcp_wrapper, since every service running from xinetd (if
> > this is compiled with tcpwrapper) will use tcp_wrapper.

Actually, the only thing they both use normally is the libwrap
library. Not aware of a xinetd which is _not_ linked to use libwrap
-- guess it's possible, though what's the point?

> > - --
> > Michael Heiming (GPG-Key ID: 0xEDD27B94)
> >
>
> Hello again ! :-)
>
> Do you mean that tcpwrappers and xinetd are complementary ?

Xinetd is meant to replace/combine the functionality of inetd and
tcpd. Look at the man for both xinetd and tcpd.

> Strange for me cause I've seen that xinetd does the same as tcpwrapper,
> control on the source adress.

It's designed to use a an acl syntax similar to tcpwrapper. Uses
"stanzas" rather than record entry format however.

> Another thing, tcpwrapper is not implemented with xinetd on my version of
> linux (mdk 9.2), when I try to put a line in hosts.allow or hosts.deny,
> nothing happens...

Xinetd does not use hosts.allow or hosts.deny. They are separate
programs -- no need to try and run both (most of the time). Tcpd is
usually meant to be used with inetd, not xinetd. Xinetd uses its own
config file (/etc/xinetd.conf). Man xinetd and xinetd.conf for
details. Look at your copy of xinetd.conf (I assume Mandrake provides
a copy) to see the format. Some folks find it a bit opaque. Try "man
5 hosts_access" for tcpd for comparison.

hth,
prg
email above disabled

tibo <(E-Mail Removed)> wrote:
> Hello all.
>
> I've got the feeling that people prefer to use tcpwrappers instead of xinetd
> for controlling the acces to the services. But I think xinetd is better for
> that for many reasons.
>
> I was wondering if the reasons for people to prefer tcpwrapper was because
> there are used to it since the previous versions of Linux with
> inetd/tcpwrapper ?

IMHO, using tcpwrappers is a better solution than xinetd's ACL control,
mainly because files in the /etc/xinetd.d/ directory may be overwritten
by package management, while /etc/hosts.{allow,deny} would never be
tampered with in this way. Its no a large reason though.

Also, other programs use tcpwrappers for access control, such as samba.
Lets take that example a step further. smbd can run from (x)inetd or
standalone, so using tcpwrappers is better from a consistency point of
view.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

tibo wrote:
> "Michael Heiming" <michael+(E-Mail Removed)> a écrit dans le message de
> news:(E-Mail Removed)...
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Mh, you might like to read up a little bit more about
>>xinetd/tcp_wrapper, since every service running from xinetd (if
>>this is compiled with tcpwrapper) will use tcp_wrapper.
>>
>>- --
>>Michael Heiming (GPG-Key ID: 0xEDD27B94)
>>
>
>
> Hello again ! :-)
>
> Do you mean that tcpwrappers and xinetd are complementary ?
>
> Strange for me cause I've seen that xinetd does the same as tcpwrapper,
> control on the source adress.
>
> Another thing, tcpwrapper is not implemented with xinetd on my version of
> linux (mdk 9.2), when I try to put a line in hosts.allow or hosts.deny,
> nothing happens...
>
>

In Redhat 9.0 putt "ALL: ALL" in hosts.deny stops me remotely logging in, and that's using xinetd.

bal.

On Tue, 10 Feb 2004 09:28:23 GMT, tibo wrote:
>
> Do you mean that tcpwrappers and xinetd are complementary ?
>
> Strange for me cause I've seen that xinetd does the same as tcpwrapper,
> control on the source adress.
>
> Another thing, tcpwrapper is not implemented with xinetd on my version of
> linux (mdk 9.2), when I try to put a line in hosts.allow or hosts.deny,
> nothing happens...

Strange for me cause my md9.2 would not let sshd-xinetd run until I
added an entry into /etc/hosts.allow.
Could be because I have ALL: ALL in /etc/hosts.deny.

Bit Twister wrote:

> Strange for me cause my md9.2 would not let sshd-xinetd run until I
> added an entry into /etc/hosts.allow.
> Could be because I have ALL: ALL in /etc/hosts.deny.

Well, yeah. What else does could "deny ALL: ALL" mean? (-:

-- Rex

On Wed, 11 Feb 2004 13:32:48 -0600, Rex Dieter wrote:

> Well, yeah. What else does could "deny ALL: ALL" mean? (-:

Keep up with the thread. tibo seemed to indicate that md 9.2
hosts.(allow/deny) had no effect and I wanted to indicate it does. 8-)