1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
|
.TH HOSTS_ACCESS 5
.SH NAME
hosts_access \- ۥȥȥեν
.SH DESCRIPTION
Υޥ˥奢ڡϡ饤 (ۥȥ͡/ɥ쥹桼
̾) С (ץ̾ۥȥ͡/ɥ쥹) ֤ñ
εˡ⤹ΤǤ롣Ū
ΤǡƤäȤФ䤤˾ऻäɼԤϡ""
ؤȿʤߤ
.PP
ȥˡγĥ줿ʬ˴ؤƤϡ
\fIhosts_options\fR(5) ʸDz⤹롣γĥϡץ
-DPROCESS_OPTIONS ꤷƺ줿ɤ˺롣
.PP
ʲʸϤǤϡ\fIdaemon\fR ȤϥͥåȥǡΥץ
̣̾\fIclient\fR Ȥϡӥ᤹ۥȤ̾
⤷ϥۥȤΥɥ쥹̣Ƥ롣ͥåȥǡΥ
̾ϡinetd եƤ롣
.SH ACCESS CONTROL FILES
ȥΥեȥϡĤΥեȤ롣
ǽ˰פǸϽλ롣
.IP \(bu
(daemon,client) ȹ礻 \fI/etc/hosts.allow\fR ե
ȥȰפ硢Ͼ롣
.IP \(bu
⤷ϡ(daemon,client) ȹ礻 \fI/etc/hosts.deny\fR ե
ΥȥȰפ硢ϵݤ롣
.IP \(bu
ʳξ硢Ͼ롣
.PP
ȥΥե뤬¸ߤʤϡΥե
뤬ǤäȤߤʤ롣äơȥϡ
ȥեʤˤäߤ
롣
.SH ACCESS CONTROL RULES
ɤΥȥե⡢0 ʾΥƥȤǹ
Ƥ롣ιԤϽи˽롣ϥޥåԤ
줿ǽλȤʤ롣
.IP \(bu
ʸϡХåå夬֤줿̵뤵롣
ˤäơڤԽ뤿ĹԤʬ䤹뤳ȤƤ롣
.IP \(bu
ԡޤ `#\' ǻϤޤԤ̵뤵롣äơȤ
ꡢۥ磻ȥڡɤߤ䤹
롣
.IP \(bu
ʳιԤϡ˼եޥåȤ˽ʤФʤʤ
[] ǰϤޤʬǤդǤ:
.sp
.ti +3
daemon_list : client_list [ : shell_command ]
.PP
\fIdaemon_list\fR ϡҤȤİʾΥǡץ̾ (argv[0] )
ޤϡ磻ɥ () ȤäꥹȤǤ롣
.PP
\fIclient_list\fR ϡҤȤİʾΡۥ̾ۥȥɥ쥹
ϡ磻ɥ () Ȥä饤ȤΥۥ̾
ɥ쥹˥ޥåѥΥꥹȤǤ롣
.PP
ʣ粽줿 \fIdaemon@host\fR \fIuser@host\fR Ȥϡ
줾 SERVER ENDPOINT PATTERNS CLIENT USERNAME LOOKUP
ΥDz⤹롣
.PP
ꥹȤγǤ϶ޤϥޤʬʤФʤ
.PP
NIS (ĤƤ YP) netgroup 䤤碌Ȥ㳰Ƥϡ
ƤΥȥΥåʸʸƱ뤷ƹ
ʤ롣
.ne 4
.SH PATTERNS
ȥνϰʲΤ褦ʥѥΤǤ
롣
.IP \(bu
`\.' ǻϤޤ졣⤷ۥ̾θʬνǻꤵ
ѥȰפȡϥޥåȤʤ롣㤨С`.tue.nl\'
Ȥѥϡ`wzv.win.tue.nl\'. Ȥۥ̾ȥޥå
롣
.IP \(bu
`\.' ǽ졣⤷ۥȥɥ쥹οͥեɤ
θȰפʤ顢ϥޥåƤ롣㤨С`131.155.\'
ȤѥϡEind\%hoven University network (131.155.x.x)
° (ۤ)ƤΥۥȤΥɥ쥹˥ޥåƤ롣
.IP \(bu
`@\' ǻϤޤϡNIS (ĤƤ YP) Υͥåȥ롼̾Ȥư
롣⤷ۥȤ줿ͥåȥ롼̾ΥС
ǤϰפΤȤʤ롣Υͥåȥ롼פΥޥåϡǡ
ץ̾䥯饤ȥ桼̾ΤˤϥݡȤƤ
ʤ
.IP \(bu
`n.n.n.n/m.m.m.m\' Ȥ`net/mask\' ΰФȤƲᤵ
롣ۥȥɥ쥹ϡ`net\' 鸫ӥåˤꡢ
`mask\' ǥޥ줿ϰˤ˰פ롣ȤС
net/mask `131.155.72.0/255.255.254.0\'Ȥʤѥϡ
`131.155.72.0\' `131.155.73.255\'ޤǤϰϤˤƤΥ
쥹˥ޥå롣
.SH WILDCARDS
ȥνϡʿפʥɥɷݡȤ
Ƥ:
.IP ALL
٤Ƥ˹פǽʥ磻ɥɡ
.IP LOCAL
ɥåʸʤƤΥۥȤ˥ޥå
.IP UNKNOWN
̾餫Ǥʤ桼˥ޥå̾ \fIޤ\fR
쥹ƤΥۥȤ˥ޥå
ηդäƻѤ٤Ǥ:ۥ̾ϡŪʥ͡
ॵСˤꡢȤʤ礬ꤦ롣ޤͥåȥ
ɥ쥹ϡեȥ鸫ơɤʥפΥͥåȥ
äƤΤǤʤѤǤʤʤ롣
.IP KNOWN
̾餫ʥ桼˥ޥå롣ˡ̾ \fI\fR ɥ
餫ʥۥȤ˥ޥå롣
ηդäƻѤ٤Ǥ:ۥ̾ϡŪʥ͡
ॵСˤꡢȤʤ礬ꤦ롣ޤͥåȥ
ɥ쥹ϡեȥ鸫ơɤʥפΥͥåȥ
äƤΤǤʤѤǤʤʤ롣
.IP PARANOID
̾ȥɥ쥹ΰפʤƤΥۥȤ˥ޥå롣⤷ tcpd
-DPARANOID (ϥǥեȤǤ) ǺƤʤ顢
ȥơ֥뤬ȤˡΤ褦ʥ饤
ȤȤƤޤΤ褦˥ȥ
뤷 -DPARANOID tcpd ۤ
.ne 6
.SH OPERATORS
.IP EXCEPT
Ūˤϡ˼褦ʷǻѤ: `list_1 EXCEPT
list_2\'; \fIlist_2\fR ˥ޥåΤ
\fIlist_1\fR ˥ޥåơ˹פ롣 EXCEPT 黻
Ҥϡdaemon_lists client_lists ǤѤǤ롣EXCEPT
Ҥϡͥ(Ҥ)ƻȤǤ: ⤷ȥ
ݳ̤ȤĤƤʤ顢`a EXCEPT b EXCEPT c\'ϡ
`(a EXCEPT (b EXCEPT c))\' ȲᤵǤ
.br
.ne 6
.SH SHELL COMMANDS
⤷ǽ˥ޥåȥΥ롼뤬륳ޥ
ɤޤǤʤ顢Υޥɤϡ%<letter> ֤(Υ
) Ȳꤵ롣η̡\fI/bin/sh\fR λ
ץɸϤȼäƼ¹Ԥ졢Ϥȥ顼
\fI/dev/null\fR 롣⤷ΥץλޤԤ
ʤˤϡޥɤ `&\' 뤳ȡ
.PP
륳ޥɤϡinetd PATH ȴϢƤϤʤ
ХѥѤ뤫ƬŪ PATH=whatever
٤Ǥ롣
.PP
\fIhosts_options\fR(5) ʸǤϡߴΤʤۤʤˡǥ
륳ޥɤΥեɤȤΡ⤦ҤȤĤν⤷Ƥ
롣
.SH % EXPANSIONS
륳ޥɤǤϲγĥɽѤǤ:
.IP "%a (%A)"
饤 (С) ۥȤΥɥ쥹
.IP %c
饤Ȥξ: user@host, user@address. ۥ̾ñ˥
쥹ϡѤǤ˰¸롣
.IP %d
ǡץ̾ (argv[0] )
.IP "%h (%H)"
饤 (С) ۥȤ̾⤷ۥ̾ѤǤʤ
ˤϡΥɥ쥹
.IP "%n (%N)"
饤 (С) ۥȤ̾ (⤷ϡ"unknown" 뤤
"paranoid")
.IP %p
ǡץ id
.IP %s
Сξ: daemon@host, daemon@address, 뤤ñ˥ǡ
̾ѤǤ˰¸롣
.IP %u
饤ȤΥ桼̾ (⤷ϡ"unknown")
.IP %%
ʸ `%\' Ÿ롣
.PP
% ŸԤʤ뤳Ȥˤäơ𤵤ǽΤ
ʸϡؤ֤롣
.SH SERVER ENDPOINT PATTERNS
³Ƥͥåȥɥ쥹ˤäơ饤Ȥ̩
̤뤿ˤϡʲηǥѥҤ:
.sp
.ti +3
process_name@host_pattern : client_list ...
.sp
Τ褦ʥѥϡޥʣΰۤʤ륤ͥåȤΥۥ
̾ȥͥåȤΥɥ쥹äƤ˻Ѥ롣ӥ
ץХϡۤʤȿ°褦ʥͥåȾ̾
FTP, GOPHER 뤤 WWW 뤿ˡεǽѤǤ
롣hosts_options(5) ʸ `twist' Υץ⻲Ȥ
륷ƥ (Solaris, FreeBSD) ǤϡҤȤĤʪŪʥե
ʣΥͥåȥɥ쥹ĻǤ(ʳΥ
ƥǤϡѤΥͥåȥɥ쥹֤ˤSLIP PPP ʤ
εեνڤʤФʤʤ )
.sp
host_pattern ϡclient_lists βʸˤäۥ̾ȥɥ
Τ褦ʡĤʸˡ˽Ȥˤʤ롣Ūˤϡserver
endpoint information (С¦üǤξ)ϡ
connection-oriented serveices (ͥظι⤤ӥ)
ΤѤǤ롣
.SH CLIENT USERNAME LOOKUP
饤ȥۥȤ RFC 931 ץȥ(TAP,
IDENT, RFC 1413) Τɤ줫ݡȤƤ硢åѡץ
³λ˴ؤ롢ɲäξФǽǤ롣
饤ȥ桼̾ξѲǽǤʤ顢ϥ饤
ȤΥۥ̾ȤȤ˵Ͽ졢Τ褦ʥѥ˥ޥå
˻ȤǤ:
.PP
.ti +3
daemon_list : ... user_pattern@host_pattern ...
.PP
ǡåѡϡ롼˽ǥ桼̾õ褦˿
(ǥե)뤤Ͼ˥饤ȥۥȤ䤤碌
ΤѥǽȤʤäƤ롣롼˽ǥ桼
̾õԤʤˤϡεҥ롼 \fIdaemon_list\fR
\fIhost_pattern\fR ξޥåˤΤߡ桼̾
õԤʤǤ
.PP
user_pattern ϡǡץΥѥƱʸˡǤꡢ
ʤƱ磻ɥɷŬѤ(ͥåȥ롼פΥ
СåפϥݡȤʤ)ʤ顢ϥ桼̾
õꤵ٤ǤϤʤ
.IP \(bu
饤ȤΥ桼̾˴ؤϡ㤨Х饤ȥ
बѤʤΤȤʤäƤˤϡꤹϤǤ
ŪˤϡALL (UN)KNOWN ϰ̣Τ桼̾Υѥ
Τˤ롣
.IP \(bu
桼̾õ TCP ١Υӥǡơ饤
ۥȤŬڤʥǡưƤˤΤ߲ǽǤ롣ơ
ʳΥ "unknown" η̤ˤʤ롣
.IP \(bu
桼̾õե䡼ˤäˤޤ줿硢ͭ̾
UNIX ͥΥХӥ»⤿餹⤷ʤ
wrapper README ʸˤϡʤΥͥˡΥХ¸ߤ
뤫ɤĴ٤礬Ҳ𤵤Ƥ롣
.IP \(bu
桼̾õϡnon-UNIX 桼ФƹԤʤ줿硢
٤ʤ뤫Τʤ桼̾õॢȤǽλ
ޤǤδͤ10 äȤʤäƤ: ٤ͥåȥˤȤ
Ƥû뤬PC 桼餹ˤϽʬ롣
.PP
桼̾õǽȤ뤳ȤˤꡢǸڸ
ȤǤ롣ȤСʥ롼:
.PP
.ti +3
daemon_list : @pcnetgroup ALL@ALL
.PP
ϥ桼̾õԤʤʤ PC ͥåȥ롼פΥС
ޥåʳΥƥФƤϥ桼̾õ
Ԥʤ
.SH DETECTING ADDRESS SPOOFING ATTACKS
¿ TCP/IP μ˸ sequence number generator η
٤ϡԤǤۥȤǤ뤳Ȥñ㤨Х⡼
ȥ륵ӥ̤Ʋ뤳ȤƤޤIDENT
(RFC931 ۤ) ӥϤΤ褦ʥۥȥɥ쥹Υڥƥˤ빶
Τ뤿˻ȤǤ롣
.PP
饤ȤˡTCP åѡΥ饤
ȤºݤˤäƤʤäȤȯŪǡ
IDENT ӥȤǤ롣
饤ȥۥȤ IDENT ӥѰդƤʤ顢IDENT
䤤碌ơ֤ä褿̤Ū(饤ȥޥ
`UNKNOWN@host') ǤСϥڥƥγθǤڵȤʤ롣
.PP
Ū IDENT 䤤碌 (饤ȥޥ
`KNOWN@host')Ǥ⡢ʬ˿ǤȤϸڤʤñ˥饤
ȤΥͥⲽǤԤϥ
饤ȤΥͥȡIDENT 䤤碌ξäƤ
ǽ롣ˤϡ饤Ȥ IDENT СΤΤ
ĤƤ뤳Ȥͤ롣
.PP
Note: IDENT 䤤碌 UDP ӥȶ¸ưϤǤʤ
.SH EXAMPLES
ʸˡϺǾ¤ζϫǡޤޤʥפΥȥ뤬ɽ
ǽʡʤΤǤ롣ʸˡĤΥȥ
ΥꥹȤɬפʤΤȤեʤȤƤϡΥꥹ
ˤñʤΤȤ뤫ˤƤȤ롣
.PP
ʲεɤˤäƤϡallow εҤ deny εҤ
˸졢θϺǽ˥ޥåΤǽλȤʤꡢޥå
ΤĤʤˤϡϾǧ롢Ȥ
ȤϤäƤȤפǤ롣
.PP
ϥۥȤȥɥᥤ̾Ȥ͡ॵСؤ䤤
Ū˼Ԥαƶڸ뤿ˤϡ˥ɥ
ġ뤤 network/netmask ξޤ뤳Ȥǡ
Ǥ롣
.SH MOSTLY CLOSED (ۤĺ)
ξ硢ϥǥեȤǵ䤵롣Ū˸¤
줿ۥȤΤߤ롣
.PP
ǥեȤΥݥꥷ(no access)ϡñ deny file ǵҤ
:
.PP
.ne 2
/etc/hosts.deny:
.in +3
ALL: ALL
.PP
ˤäơallow file ΥȥǥĤʤ
¤ꡢƤΥۥȤؤΥӥϵݤȤʤ롣
.PP
Ū˸¤ۥȤϡallow file ǥꥹȤ롣
:
.PP
.ne 2
/etc/hosts.allow:
.in +3
ALL: LOCAL @some_netgroup
.br
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
.PP
ǽΥ롼Ǥϡɥᥤ(ۥ̾ `.\'ɬפȤʤ)
ȡ\fIsome_netgroup\fP °ۥȤΥĤ
롣ܤΥ롼Ǥϡ\fIterminalserver.foobar.edu\fP.
\fIfoobar.edu\fP ɥᥤ(ɥåȤǻϤޤ뤳ȤƤ)
ΡƤΥۥȤΥĤƤ롣
.SH MOSTLY OPEN (ۤܲ)
Ū˥ӥݤۥȤϥǥեȤǵ
ĤȤʤ롣
.PP
ǥեȤΥݥꥷ(access granted) ˽Сɤ allow file
Ǥ⡢ޤäάǽʤۤɾĹʤΤȤʤ롣Ū˸¤Ϳ
ʤۥȤϡdeny file ˥ꥹȤ롣:
.PP
/etc/hosts.deny:
.in +3
ALL: some.host.name, .some.domain
.br
ALL EXCEPT in.fingerd: other.host.name, .other.domain
.PP
ǽΥ롼ǤϡĤΥۥȤȡɥᥤؤƤΥӥ
ݤ롣ܤΥ롼ǤϡʳΥۥȤȥɥᥤ
finger ꥯȤ˸¤äƵĤͿƤ롣
.SH BOOBY TRAPS (Ҥä)
ΥץϥɥᥤΥۥ(ɥåȤǻϤޤ
Ƥ) tftp ꥯȤĤΤǤ롣ʳ
ۥȤΥꥯȤϵݤ롣ᤵ줿ե
ˡfinger õˤ̵ʤۥȤؤ롣̤
ѡ桼إᥤ롣
.PP
.ne 2
/etc/hosts.allow:
.in +3
.nf
in.tftpd: LOCAL, .my.domain
.PP
.ne 2
/etc/hosts.deny:
.in +3
.nf
in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
/usr/ucb/mail -s %d-%h root) &
.fi
.PP
safe_finger ޥɤ tcpd wrapper °ƤꡢŬڤʾ
ȡ뤵٤Ǥ롣ϥ⡼Ȥ finger С
ƤǡˤäƥͿǽ¤
롣ɸ finger ޥɤͥ줿ɸ⤿餹
.PP
%h (client host) %d (service name) ŸˤĤƤϡshell
commands ΥDz⤵Ƥ롣
.PP
ٹ: finger ̵¥롼פؤн褬Ǥʤʤ顢ʤȤ
finger ǡФơ booby-trap (ä) ųݤ
.PP
ͥåȥե䡼ˤƤϡΥȥåϤ
˳ĥ뤳ȤǤ롣ŵŪʥͥåȥե䡼
ϡФƸꤵ줿ӥʤʳΥ
ӥϡ嵭 tftp Τ褦 "İ" 뤳ȤǤ롣η
̡ˤͥ줿ٲ֤Ȥʤ롣
.br
.ne 4
.SH DIAGNOSTICS
ʲξ˥顼𤵤롣ۥȥȥեʸˡ
顼Ĥä硣ȥΥ롼Ĺ
ΥХåե̤ۤ硣ȥΥ롼뤬
ʸˤäƽäƤʤ硣%<letter> Ÿη̡Х
եƤޤä硣Ԥȿơƥॳ뤬Ԥ
硣٤Ƥϡsyslog ǡ̤𤵤롣
.SH FILES
.na
.nf
/etc/hosts.allow, Ĥ (daemon,client) Υڥ
/etc/hosts.deny, ݤ (daemon,client) Υڥ
.ad
.fi
.SH SEE ALSO
.nf
tcpd(8) tcp/ip daemon wrapper ץ
tcpdchk(8), tcpdmatch(8), test programs.
.SH BUGS
͡ॵС䤤碌ॢȤȤʤȡۥ̾ϡ
ȤϿƤƤ⡢ȥ륽եȤѤǤ
.PP
ɥᥤ͡ॵС䤤碌ϡʸʸƱ뤹롣
NIS (ĤƤ YP) Υͥåȥ롼פϡʸʸ̤
롣
.SH AUTHOR
.na
.nf
Wietse Venema (wietse@wzv.win.tue.nl)
Department of Mathematics and Computing Science
Eindhoven University of Technology
Den Dolech 2, P.O. Box 513,
5600 MB Eindhoven, The Netherlands
.SH
.na
.nf
FUKUSHIMA Osamu/ʡ <fuku@amorph.rim.or.jp>
\" @(#) hosts_access.5 1.20 95/01/30 19:51:46
|
