diff options
-rw-r--r-- | generic/etc/hosts.allow | 12 | ||||
-rw-r--r-- | generic/etc/hosts.deny | 19 | ||||
-rw-r--r-- | rules/tcpwrapper.in | 15 | ||||
-rw-r--r-- | rules/tcpwrapper.make | 7 |
4 files changed, 50 insertions, 3 deletions
diff --git a/generic/etc/hosts.allow b/generic/etc/hosts.allow new file mode 100644 index 000000000..c5d281f60 --- /dev/null +++ b/generic/etc/hosts.allow @@ -0,0 +1,12 @@ +# /etc/hosts.allow: list of hosts that are allowed to access the system. +# See the manual pages hosts_access(5) and hosts_options(5). +# +# Example: ALL: LOCAL @some_netgroup +# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu +# +# If you're going to protect the portmapper use the name "portmap" for the +# daemon name. Remember that you can only use the keyword "ALL" and IP +# addresses (NOT host or domain names) for the portmapper, as well as for +# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) +# for further information. +# diff --git a/generic/etc/hosts.deny b/generic/etc/hosts.deny new file mode 100644 index 000000000..7d19ad10b --- /dev/null +++ b/generic/etc/hosts.deny @@ -0,0 +1,19 @@ +# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. +# See the manual pages hosts_access(5) and hosts_options(5). +# +# Example: ALL: some.host.name, .some.domain +# ALL EXCEPT in.fingerd: other.host.name, .other.domain +# +# If you're going to protect the portmapper use the name "portmap" for the +# daemon name. Remember that you can only use the keyword "ALL" and IP +# addresses (NOT host or domain names) for the portmapper, as well as for +# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) +# for further information. +# +# The PARANOID wildcard matches any host whose name does not match its +# address. + +# You may wish to enable this to ensure any programs that don't +# validate looked up hostnames still leave understandable logs. In past +# versions of Debian this has been the default. +# ALL: PARANOID diff --git a/rules/tcpwrapper.in b/rules/tcpwrapper.in index 82e3c8c06..e548ee543 100644 --- a/rules/tcpwrapper.in +++ b/rules/tcpwrapper.in @@ -1,5 +1,6 @@ ## SECTION=networking -menuconfig TCPWRAPPER + +menuconfig TCPWRAPPER tristate prompt "tcpwrapper " help @@ -14,12 +15,22 @@ menuconfig TCPWRAPPER client or server applications, and impose no overhead on the actual conversation between the client and server applications. +if TCPWRAPPER + config TCPWRAPPER_INSTALL_TCPD bool prompt "Install /usr/sbin/tcpd" - depends on TCPWRAPPER help The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other services that have a one-to-one mapping onto executable files. +config TCPWRAPPER_INSTALL_HOSTS_ACCESS_CONFIGS + bool + select TCPWRAPPER_INSTALL_TCPD + prompt "Install /etc/hosts.{allow|deny}" + help + Install the hosts.allow and hosts.deny configs from either + projectroot or from ptxdist/generics. + +endif diff --git a/rules/tcpwrapper.make b/rules/tcpwrapper.make index 417953360..3e9d9427d 100644 --- a/rules/tcpwrapper.make +++ b/rules/tcpwrapper.make @@ -23,7 +23,6 @@ TCPWRAPPER_URL := ftp://ftp.porcupine.org/pub/security/$(TCPWRAPPER).tar.gz TCPWRAPPER_SOURCE := $(SRCDIR)/$(TCPWRAPPER).tar.gz TCPWRAPPER_DIR := $(BUILDDIR)/$(TCPWRAPPER) - # ---------------------------------------------------------------------------- # Get # ---------------------------------------------------------------------------- @@ -71,6 +70,12 @@ $(STATEDIR)/tcpwrapper.targetinstall: ifdef PTXCONF_TCPWRAPPER_INSTALL_TCPD @$(call install_copy, tcpwrapper, 0, 0, 0755, $(TCPWRAPPER_DIR)/tcpd, /usr/sbin/tcpd) endif + +ifdef PTXCONF_TCPWRAPPER_INSTALL_HOSTS_ACCESS_CONFIGS + @$(call install_alternative, tcpwrapper, 0, 0, 0644, /etc/hosts.allow) + @$(call install_alternative, tcpwrapper, 0, 0, 0644, /etc/hosts.deny) +endif + @$(call install_finish, tcpwrapper) @$(call touch) |