Hi, tcp-wrappers, article

Alan Cox alan "at" cymru.net
Fri, 13 Mar 1998 10:59:30 +0000

>    the listen address to (rather than IADDR_ANY).  This way I could bind 
>    the listen address to (loopback), and have a tcp-wrapper .. 

>    protected netcat or redir listening for connections from my machine, 
>    which would be  forwarded to Xvnc.  This would also be good for dual-homed 
>    machines  in DMZ-type firewall setups.  This would allow connections only from
>    the internal lan.

And if you have source routing facilities on your box you can potentially
be open to abuse.

> 2) Build in source address based authentication using the library that
>    comes with tcp_wrappers.
> Comments? 

I think its better to do the job properly. Assuming you only care about
authentication and not also data hiding then MD5 signatures are probably
enough security (like PPP CHAP protocol). MD5 is free, exportable worldwide
and not (currently 8)) subject to patent stupidities