Huntsville Macintosh Users Group
Configuring TCP Wrappers Configuring TCP Wrappers
BSD | Darwin | How Tos | Linux | man Pages | Site Index
by Marius Schamschula

Since Mac OS X is derived from BSD Unix, a lot of care has been taken to make OS X a secure platform. To that end Apple has disabled most network services in the default installation. However, the moment you enable services such as FTP, or Telnet (not recommended, use Secure Shell instead), you open your computer to the outside world.

Access Control

Mac OS X uses the tcp daemon (tcpd), a.k.a. tcp wrappers developed by Wietse Venema, to control what ports and what services are available to outside users. What Apple has left out are the configuration files for tcpd. The man page for the configuration files is hosts_access. There are two files: /etc/hosts.deny, and /etc/hosts.allow.

hosts.deny

When running a internet server, paranoia can be a good thing. The best approach is to deny every incomming connection, and then to permit certain services and hosts. Here is an example of a default /etc/hosts.deny file:

#
# hosts.deny    This file describes the names of the hosts which are
#               denied the use of local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
ALL: ALL:deny

You probably want to leave this one untouched.

hosts.allow

Now that we have denied everyone access, we have a secure, but worthless, server. We have to let the good guys in.

#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
ALL:10.0.0.20
ALL except shell:192.168.1.
ALL except shell:foo.hmug.org
ipop3d:mac.com

Here we have four examples:

  1. Unrestricted, by IP address. The host 10.0.0.20, a presumably trusted host
  2. Restricted, by range of IP addresses. The subnet 192.168.1. can do everything but open a shell connection.
  3. Restricted, by domain. The domain hmug.org. can do everything but open a shell connection.
  4. By specific protocol. The domain mac.com can retrieve e-mail.

For more information fire up the Terminal and bring up man tcpd and man hosts_access.

Installation

You need superuser access to your Mac OS X machine. Mac OS X by default does not provide superuser, or root, access. You can do this in two ways:

  1. sudo shell, where shell is tcsh, bash, etc.
  2. Set root password. See Setting Root Password

Option 1 is safer.

Customize

You need to tailor these two files to your needs. The example file is harmless, since the hosts either are on test networks (10.x.x.x, and 192.168.1.x), don't reverse name lookup (foo.hmug.org), are not going to retrieve e-mail (mac.com) from your host. However, please edit, or comment out, these are example entries anyway.

Comments

In most cases Unix style configuration files use the # mark to denote a comment. Anything to the right of the # mark is ignored.

Version 2.2.0 - 20070309
User Group Logo