This is on a CentOS 5 VMware image - hope that does not affect anything.

Hi, I am trying out tcpwrappers to stop certain hosts accessing httpd and squid I know there is application layer acls, but I want to see if this will work.

I am trying to figure out the daemon argument in the hosts.deny file in relation to squid and where the daemon argument comes from.

In my system xinetd is running:
[root@centos-vm etc]# ps -ef | grep xine
root 5058 1 0 20:57 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 5065 2720 0 20:58 pts/0 00:00:00 grep xine

My /etc/hosts.allow file is empty
[root@centos-vm etc]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

My /etc/hosts.deny file contains:
[root@centos-vm etc]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
httpd : 192.168.88.0/255.255.255.0
squid : 192.168.88.0/255.255.255.0

[root@centos-vm etc]# netstat -putan | grep httpd
tcp 0 0 :::80 :::* LISTEN 4809/httpd
[root@centos-vm etc]# netstat -putan | grep squid
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 4597/(squid)
udp 0 0 0.0.0.0:32771 0.0.0.0:* 4597/(squid)
udp 0 0 0.0.0.0:3130 0.0.0.0:* 4597/(squid)

I am using the 'squid' and httpd daemon_name as this is what the process is called in netstat and ps.

I run the URL from my desk machine - it is handed off from IP 192.168.88.1 meaning that it will be covered under hosts.deny

running tcpdump, I can see
21:06:22.575564 IP 192.168.88.1.5833 > 192.168.88.133.squid: . ack 13119 win 63988
for squid and

21:07:59.109083 IP 192.168.88.1.5910 > 192.168.88.133.http: . ack 469 win 32534
for http

Access is not blocked from this IP and I can suggessfully get a response to my HTTP GETs.

Am I missing something?

Any pointers greatly appreciated

This is a reply to anyone else with the same problem who googles their problem and finds this posting.

The RedHat Manual states
The TCP wrappers package (tcp_wrappers) is installed by default under Red Hat Linux and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.so.0 library. In general terms, a TCP wrapped service is one that has been compiled against the libwrap.a library.

It seems that both squid and httpd are not tcpwrapped as they are not set up to link to the libwrap.a library - for example:

[root@rwc-tpslnx-01-v3 html]# which squid
/usr/sbin/squid
[root@rwc-tpslnx-01-v3 html]# ldd /usr/sbin/squid | grep libwrap

and

[root@rwc-tpslnx-01-v3 html]# which httpd
/usr/sbin/httpd
[root@rwc-tpslnx-01-v3 html]# ldd /usr/sbin/httpd | grep libwrap

SSHD on the other hand does work, as it is linked to the libwrap.a library

[root@rwc-tpslnx-01-v3 html]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002aaaaacc6000)

HTTPD and SQUID on my system were just installed as per standard yum, so I don't know if there is way to compile tcpwrapper support into these binaries by compiling manually. However, it certainly explains why my hosts.deny rules made no odds to the security.