tcpd Access Control Files

Two files define access controls for tcpd:

The hosts.allow file lists the hosts that are allowed to access the system's services.
The hosts.deny file lists the hosts that are denied service.
If these files are not found, tcpd allows every host to have access, and simply logs the
access request.
When the files are present, tcpd reads the hosts.allow file first and then reads the hosts.deny
file. It stops as soon as it finds a match for the host and the service in question. Therefore,
access granted by hosts.allow cannot be overridden by hosts.deny. For this reason, it is
common to start by first inserting an entry in hosts.deny that denies all access to all systems,
and then to continue by placing entries in the hosts.allow file that permit access to only those
systems that really should receive services. The format of entries in both files is the same:
services : clients [: shellcommand]
services is a commaseparated list of network services or the keyword ALL. ALL is used to
indicate all network services. Otherwise, each individual service is identified by its process
name, which is the name that immediately follows the path to tcpd in the inetd.conf file. For
example, the process name in the following inetd.conf entry is imapd:
imap stream tcp nowait root /usr/sbin/tcpd imapd
clients is a commaseparated list of hostnames, domain names, Internet addresses, network
numbers, and the keyword LOCAL. Alternatively, it can be the keyword ALL. ALL matches all
hostnames and addresses; LOCAL matches all hostnames that do not include a domain
name part.
A hostname matches an individual host. An IP address can be defined by itself to match a
specific host or with an address mask to match a range of addresses. A domain name starts
with a dot (.) and matches every host within that domain. A network number ends with a dot
and matches every IP address within the network address space.