If ALL:ALL is placed in the hosts.deny and specific exceptions are added
into the hosts.allow, working DNS is required to successfully connect to
any service. The settings in the nsswitch.conf do not seem to affect this
problem (i.e. I tried setting hosts to just "files" and it didn't use the
/etc/hosts file for authentication).
This is new behavior... 6.2 and 7.0beta did not work this way. This has
happened on two different machines, one a 6.2 and one a 7.0beta, after
upgrading. Both computers use the i386 architecture.
Possible reason: tcp_wrappers is now being compiled with -DPARANOID which
will always refuse connections which can't be resolved forwards and
backwards. This combined with the fact tcp_wrappers sends DNS queries
directly instead of using /etc/nsswitch.conf causes my laptop to refuse all
connections when plugged into my home network and my desktop to refuse all
connections when not dialed into my ISP.
Two things I forgot to mention:
1) I'm not using hostnames in the hosts.allow, just IPs (like 127.0.0.1
2) The functionality of -DPARANOID can be obtained without compiling with it
on... just use PARANOID as a wildcard... so compiling without it is more
Nevermind! It looks like I was just confused. After fixing the hosts.allow to
use the proper names for the daemons (I was using the service names), it works
wonderfully. I looked at the patches that had been added to tcp_wrappers in 7.0
and none of them looked like they should have affected this.
Now the only question is how it worked before...
Sorry for wasting your time.
(BTW: bugzilla is really nice)