Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 683

ALL : *.example.com
• The slash (/) — If a client list begins with a slash, it is treated as a file name. This is useful if rules
specifying large numbers of hosts are necessary. The following example refers TCP Wrappers to
the /etc/telnet.hosts file for all Telnet connections:
in.telnetd : /etc/telnet.hosts
Other, lesser used, patterns are also accepted by TCP Wrappers. Refer to the hosts_access man 5
page for more information.
Warning
Be very careful when using hostnames and domain names. Attackers can use a variety
of tricks to circumvent accurate name resolution. In addition, disruption to DNS service
prevents even authorized users from using network services. It is, therefore, best to use IP
addresses whenever possible.
43.5.2.1.3. Portmap and TCP Wrappers
Portmap's implementation of TCP Wrappers does not support host look-ups, which means
portmap can not use hostnames to identify hosts. Consequently, access control rules for portmap in
hosts.allow or hosts.deny must use IP addresses, or the keyword ALL, for specifying hosts.
Changes to portmap access control rules may not take effect immediately. You may need to restart
the portmap service.
Widely used services, such as NIS and NFS, depend on portmap to operate, so be aware of these
limitations.
43.5.2.1.4. Operators
At present, access control rules accept one operator, EXCEPT. It can be used in both the daemon list
and the client list of a rule.
The EXCEPT operator allows specific exceptions to broader matches within the same rule.
In the following example from a hosts.allow file, all example.com hosts are allowed to connect to
all services except cracker.example.com:
ALL: .example.com EXCEPT cracker.example.com
In another example from a hosts.allow file, clients from the 192.168.0.x network can use all
services except for FTP:
ALL EXCEPT vsftpd: 192.168.0.
TCP Wrappers Configuration Files
657