From: mfchen@csie.nctu.edu.tw (Ming-Feng Chen)
Newsgroups: tw.bbs.config
Subject: [DNS] 如何拒絕無 reverse domain name 機器？
Date: 27 May 1997 04:53:56 GMT
Organization: Computer Science & Information Engineering NCTU

    以下介紹一種拒絕無 reverse domain name 機器的方法，
歡迎大家補充。

----------------------------------------------------------------------
    一個設定方法是安裝 tcpd 程式︰man tcpd

NAME
     tcpd - access control facility for internet services

SYNOPSIS
     /some/where/tcpd [arguments]

DESCRIPTION
     The tcpd program can be set up to monitor incoming  requests
     for  telnet,  finger,  ftp,  exec,  rsh, rlogin, tftp, talk,
     spray, rusers, comsat and other services that  have  a  one-
     to-one mapping onto executable files.

     Optional features are:   access  control  based  on  pattern
     matching, remote username lookups with the RFC 931 protocol,
     and protection against hosts that pretend  to  have  someone
     elses host name.


inetd 配合這個程式，可以在執行程式之前先檢查對方機器資訊，
允許/拒絕特定機器使用網路服務，設定方法是透過 /etc/hosts.allow
與 /etc/hosts.deny 過濾機器，例如︰

	cmd> more /etc/inetd.conf
	smtp   stream tcp nowait root   /usr/etc/tcpd .../sendmail -bs 
	finger stream tcp nowait nobody /usr/etc/tcpd .../in.fingerd 
	telnet stream tcp nowait root   /usr/etc/tcpd .../in.telnetd 

	cmd> more /etc/hosts.allow
	in.fingerd: ALL
	sendmail: ALL
	ALL: LOCAL
	FAIL: UNKNOWN

	以上設定表示︰
	    1. in.fingerd 服務接受任何機器(ALL)連線。
	    2. sendmail 服務也接受任何機器(ALL)連線。
	    3. 如果是 LAN 裡面的機器(LOCAL)，可以使用任何服務(ALL)。
	    4. 如果沒有 reverse domain name，檢查 hosts.deny 設定

	cmd> more /etc/hosts.deny
	ALL: UNKNOWN

	以上設定表示︰
	    只要沒有 reverse domain name (UNKNOWN)，拒絕使用任何服務(ALL)。

----------------------------------------------------------------------
特殊設定可參考: man hosts_access

     ALL  If this token appears in a daemon_list, it matches  all
          network daemon process names.  If the ALL token appears
          in a client_list,  it  matches  all  client  names  and
          addresses.

     LOCAL
          Matches any string that does not contain a dot  charac-
          ter.  Typical use is in client_lists.

     UNKNOWN
          Matches any  host  whose  name  and/or  address  lookup
          failed.   Should  be used with care, because host names 
          may also be unavailable due to  temporary  name  server 
          problems. 
 
     FAIL Like the ALL wildcard, but causes the software to  pre- 
          tend  that the scan of the current access control table 
          fails. This is useful to avoid  unwanted  matches  with 
          later entries in the same access control table. 

--
		Sincerely yours.
		Ming-Feng