Red Hat ENTERPRISE LINUX 3 Reference Manual page 262

244
16.2.1.4. Operators
At present, access control rules accept one operator,
and the client list of a rule.
The operator allows specific exceptions to broader matches within the same rule.
EXCEPT
In the following example from a
to all services except
ALL: .example.com EXCEPT cracker.example.com
In the another example from a
services except for FTP:
ALL EXCEPT vsftpd: 192.168.0.
Note
Organizationally, it is often easier to avoid using
quickly scan the appropriate files to see what hosts should are allowed or denied access to services,
without having to sort through
16.2.2. Option Fields
In addition to basic rules allowing and denying access, the Red Hat Enterprise Linux implementation
of TCP wrappers supports extensions to the access control language through option fields. By using
option fields within hosts access rules, administrators can accomplish a variety of tasks such as altering
log behavior, consolidating access control, and launching shell commands.
16.2.2.1. Logging
Option fields let administrators easily change the log facility and priority level for a rule by using the
directive.
severity
In the following example, connections to the SSH daemon from any host in the
are logged to the default
priority of :
emerg
sshd : .example.com : severity emerg
It is also possible to specify a facility using the
SSH connection attempts by hosts from the
priority of :
alert
sshd : .example.com : severity local0.alert
hosts.allow
cracker.example.com
hosts.allow
operators.
EXCEPT
authpriv syslog
Chapter 16. TCP Wrappers and
. It can be used in both the daemon list
EXCEPT
file, all
example.com
:
file, clients from the 192.168.0.x network can use all
operators. This allows other administrators to
EXCEPT
facility (because no facility value is specified) with a
option. The following example logs any
severity
domain to the
example.com
xinetd
hosts are allowed to connect
example.com
facility with a
local0
domain