From owner-freebsd-isp  Mon Jan 20 11:01:37 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id LAA18278
          for isp-outgoing; Mon, 20 Jan 1997 11:01:37 -0800 (PST)
Received: from super-g.inch.com (super-g.com [204.178.32.161])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA18256
          for <freebsd-isp@freebsd.org>; Mon, 20 Jan 1997 11:01:16 -0800 (PST)
Received: from localhost (spork@localhost) by super-g.inch.com (8.8.4/8.6.9) with SMTP id OAA12665; Mon, 20 Jan 1997 14:19:56 -0500 (EST)
Date: Mon, 20 Jan 1997 14:19:56 -0500 (EST)
From: spork <spork@super-g.com>
X-Sender: spork@super-g.inch.com
To: Christian Hochhold <expert@dusk.net>
cc: freebsd-isp@freebsd.org
Subject: Re: tcp_wrappers
In-Reply-To: <199701180109.VAA06835@eternal.dusk.net>
Message-ID: <Pine.BSF.3.95.970120141307.12624A-100000@super-g.inch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Just re-read the man page for tcpd, hosts_access (start here),
hosts_options, tcpdcheck, and tcpdmatch...  In hosts_access there are
examples of the format used and some clever implementations.  An example
for what you'd like to do would be:

in hosts.deny:

ALL: ALL

in hosts.allow:

ALL: .newark.nj.pub-ip.psi.net

This would allow anyone dialing into PSI's Newark POP to access ALL
wrapped services and disallow anyone else.  Note the use of "." instead of
"*".

Charles


On Fri, 17 Jan 1997, Christian Hochhold wrote:

> Evenin'
> 
> I have tcp wrappers running on my shell machine, with twist
> so it displayes a nice message to any individual trying to
> connect who is not in the hosts.allow file.
> I've just found that hosts.allow doesn't like wildcards, as
> one of my clients is part of another major ISP, and instead
> of at least being able to just allow access to the pop where
> he dials into, I now have to allow ALL the ISP's POP's to
> connect.
> Obivously this is a risk, in order to allow one person to
> telnet in, I have to allow the whole nation to telnet in
> as well.
> 
> I've tried (as examples)
> 
> *@pop-prov*.isp.name
> pop*.isp.name
> pop-prov.isp.name
> 
> to no avail.  Does anyone have any suggestions / recommendations
> as to what one can do about this?
> 
> Thank You in advance,
> 
> Christian
> 
> 
>