Bug 18570 - tcp_wrappers requires DNS
Summary: tcp_wrappers requires DNS
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcp_wrappers   
(Show other bugs)
Version: 7.0
Hardware: All Linux
Target Milestone: ---
Assignee: Preston Brown
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2000-10-06 20:55 UTC by Need Real Name
Modified: 2007-04-18 16:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-09 15:44:13 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Need Real Name 2000-10-06 20:55:51 UTC
If ALL:ALL is placed in the hosts.deny and specific exceptions are added
into the hosts.allow, working DNS is required to successfully connect to
any service.  The settings in the nsswitch.conf do not seem to affect this
problem (i.e. I tried setting hosts to just "files" and it didn't use the
/etc/hosts file for authentication).

This is new behavior... 6.2 and 7.0beta did not work this way.  This has
happened on two different machines, one a 6.2 and one a 7.0beta, after
upgrading.  Both computers use the i386 architecture.

Possible reason: tcp_wrappers is now being compiled with -DPARANOID which
will always refuse connections which can't be resolved forwards and
backwards.  This combined with the fact tcp_wrappers sends DNS queries
directly instead of using /etc/nsswitch.conf causes my laptop to refuse all
connections when plugged into my home network and my desktop to refuse all
connections when not dialed into my ISP.

Comment 1 Need Real Name 2000-10-06 21:12:41 UTC
Two things I forgot to mention:

1) I'm not using hostnames in the hosts.allow, just IPs (like
2) The functionality of -DPARANOID can be obtained without compiling with it
on... just use PARANOID as a wildcard... so compiling without it is more

Comment 2 Need Real Name 2000-10-09 15:44:11 UTC
Nevermind!  It looks like I was just confused.  After fixing the hosts.allow to
use the proper names for the daemons (I was using the service names), it works
wonderfully.  I looked at the patches that had been added to tcp_wrappers in 7.0
and none of them looked like they should have affected this.

Now the only question is how it worked before...

Sorry for wasting your time.

(BTW: bugzilla is really nice)

Note You need to log in before you can comment on or make changes to this bug.