NAME
tcpd.conf — configuration file for tcpd
DESCRIPTION
When
inetd
invokes
tcpd
for a service, it will read
/etc/tcpd.conf
and perform
access control checks (see
tcpd(1M)).
Each line in the file is treated either as a comment
or as configuration information. Commented lines begin with
#.
Uncommented lines contain two required fields, key and value. The
fields are separated by tabs and/or spaces. A
line can be continued if it terminates with
a backslash
(\).
The following are the configuration parameters:
rfc931_timeout n
The RFC931 username lookup can be enabled or disabled through
this parameter. Value for
n
specifies the time-out value (in seconds), to be used while getting
the username information from the client.
A value of zero for
n
disables the rfc931 feature.
The default configuration of this
disables the rfc931 feature with
n
value equal to 0.
The maximum value to which
n
can be set is 30 seconds.
on_reverselookup_fail {allow |
deny}
This parameter determines whether
tcpd
should allow or deny the
connection request on reverse lookup failure.
In both the cases,
tcpd
will log
the event of reverse lookup failure, but in the
deny
case, it will reject the connection request just after reverse
lookup failure. In the
allow
case, the hostname can be matched with the PARANOID wildcard (see
hosts_options(5))
in access
control files
(/etc/hosts.allow
and
/etc/hosts.deny).
The default value for this is
deny.
log_level {normal |
extended}
This parameter determines the level at which
tcpd
should log the
information using
syslog.
A value of
extended
will cause the TCP Wrappers daemon
(see
tcpd(1M)),
to log the ACLs information such as with which entry the client request
is matched and this entry's related options.
The default value for this entry
is
normal,
in which case
tcpd
will only log the connection details about refusal or acceptance of
the connection in the form of `connection from abc@xyz_host'.
Processing Invalid and Multiple Entries
tcpd
processes invalid and multiple entries in the following ways:
An invalid entry for a configuration parameter is ignored.
Instead, the default value for the configuration parameter will be used.
For example, the following invalid entry for
log_level
will be replaced by the use of
normal.
log_level abcd
will be treated as:
log_level normal
If multiple entries for a configuration parameter are specified,
only the last occurring entry is processed and the rest are ignored.
For example, in the following two entries for
rfc931_timeout,
the last value of 25 is used for that parameter.
rfc931_timeout 10
rfc931_timeout 25
EXAMPLES
To set the a 25 seconds time-out value for RFC931 user name lookup:
To disable the RFC931 user name lookup:
To make
tcpd
to allow a host on reverse lookup failure and process that host as
PARANOID,
in ACLs:
on_reverselookup_fail allow
To set the extended logging option:
AUTHOR
tcpd.conf
was developed by the Hewlett-Packard.