TCP wrapper filter examples

The examples in this section show a variety of approaches to controlling access using TCP wrapper access filters. In studying the examples, keep in mind that Allow filters are processed before Deny filters,  the search terminates when a match is found, and access is granted when no match is found at all.

The examples listed here use host and domain names rather than IP addresses. Remember that you can include address and netmask information in TCP wrapper filters, which can improve reliability in the case of nameservice failure.

 Example TCP wrapper filter: mostly denying

In this example, access is denied by default. Only explicitly authorized hosts are permitted access.

The default policy (no access) is implemented with a single, trivial deny rule via the   option: ALL: ALL This filter denies all service to all clients that have not been explicitly granted access by an Allow filter (set via the   option). The Allow filters, then might be something like these: ALL: LOCAL @netgroup1 ALL: .siroe EXCEPT externalserver.siroe.com The first rule permits access from all short-form host names in the local domain and from members of the group. The second rule uses a leading-dot wildcard pattern to permit access from all hosts in the  domain, with the exception of the host.

 Example TCP wrapper filter: mostly allowing

In this example, access is granted by default. Only explicitly specified hosts are denied access.

The default policy (access granted) makes explicit Allow filters unnecessary. The unwanted clients are listed explicitly in Deny filters (set via the   option) such as these: ALL: externalserver.siroe1.com, .siroe.asia.com ALL EXCEPT pop: contractor.siroe1.com, .siroe.com The first filter denies all services to a particular host and to a specific domain. The second filter permits nothing but POP access from a particular host and from a specific domain.

 Example TCP wrapper filter: Denying access from spoofed IPs or hosts

You can use the   wildcard  name in a filter to detect host-name spoofing. When you specify,  the access-control system performs forward or reverse DNS lookups to verify that the client&#x27;s presented host name matches its actual IP address. Here is an example for a Deny filter (which would be set via the  option): ALL: DNSSPOOFER This filter denies all services to all remote hosts whose IP addresses don&#x27;t match their DNS host names.

 Example TCP wrapper filter: Controlling access to Virtual Domains

If your messaging installation uses virtual domains, in which a single server instance is associated with multiple IP addresses and domain names, you can control access to each virtual domain through a combination of Allow and Deny filters. For example, you can use Allow filters like: ALL@msgServer.siroe1.com: @.siroe1.com ALL@msgServer.siroe2.com: @.siroe2.com ... coupled with a Deny filter like: ALL: ALL Each Allow filter permits only hosts within domainN to connect to the service whose IP address corresponds to msgServer.siroeN.com. All other connections are denied.

 Example TCP wrapper filter: Controlling IMAP access while permitting Webmail access

If you wish to allow users to access Webmail, but not access IMAP, create a filter like this: +imap:access-server-host1,access-server-host2 This permits IMAP only from the access server hosts access-server-host1 and and access-server-host2. You can set the access filter at the IMAP server level by using the option , or set the access filter at the user level via the   LDAP attribute or at the domain level via the   LDAP attribute. (The MMP and its proxies will at the proxy level use the  option, as well as at the user level whatever user LDAP attribute is named by the    option, by default , and at the domain level the   LDAP attribute.)

See also:
 * domainallowed Option
 * domainnotallowed Option
 * TCP wrappers