Information
NOTE: Update the value of HOSTS_DENIED_NETWORK with the appropriate value for the local environment.
Solution
To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo "ALL: <net>/<mask>, <net>/<mask>" > /etc/hosts.allow
where each <net>/<mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo "ALL: ALL" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE
To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE
To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.