Pick a Free OS

User login


TCP Wrappers: Part 2

The TCP Wrapper program, as we all know, is intelligent enough to perform a reverse finger on the client from where the connection originates and logs all the data to disk, if asked to do so. But, for instance, if the source IP address were spoofed, TCP Wrapper, being totally ignorant about such malpractices, wouldn't suspect any foul play. The wrapper programs rely on source address information obtained from network packets. This information is provided by the client host. It is not 100 percent reliable, although the wrappers do their best

to expose forgeries.


Let us take a quick look at the functioning of TCP Wrappers.

Almost every application of the TCP/IP protocols is based on a client-server model. For example, when a user invokes the telnet command to connect to one of your systems, a telnet server process is executed on the target host. The telnet server process connects the user to a login process. A few examples of client and server programs are shown in the table below:

client server application

telnet telnetd remote login

ftp ftpd file transfer

finger fingerd show users

The wrapper programs rely on a simple, but powerful mechanism. Instead of directly running the desired server program, the inetd is tricked into running a small wrapper program. The wrapper logs the client host name or address and performs some additional checks. If there are no glitches, the wrapper executes the desired server program and goes away.

The wrapper programs neither interact with the client user or the client process nor with the server application.

This has two major advantages:

1)The wrappers are application-independent. Therefore, the same program can protect different kinds of network services.

2)Lack of interaction also means that the wrappers are invisible from outside (at least for authorized users).

Another important property is that the wrapper programs are active only when the initial contact between client and server is established. Once a wrapper has done its work, there is no overhead on the client-server conversation.

But like everything else, this mechanism too has its drawbacks. A major one being that since the wrappers go away after the initial contact between client and server processes, they are of little use with network daemons that service more than one client. The wrappers only see the first client attempt to contact such a server. The NFS mount daemon is a typical example of a daemon that services requests from multiple clients.