Oracle® Linux 8

Configuring the Firewall

F20786-02
February 2020
Oracle Legal Notices

Copyright © 2019,2020 Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and
disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement
or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute,
exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or
decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find
any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of
the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any
programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial
computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental
regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any
operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be
subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
Government.

This software or hardware is developed for general use in a variety of information management applications. It is not
developed or intended for use in any inherently dangerous applications, including applications that may create a risk
of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to
take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation
and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous
applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used
under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD
logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a
registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and
services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an
applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any
loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as
set forth in an applicable agreement between you and Oracle.

Abstract

Oracle® Linux 8: Configuring the Firewall describes how to set up and configure the firewall service on Oracle Linux 8
systems. This document also provides a brief description of the nftables kernel module and how to migrate existing
iptables and ipv6tables rules to nftables. TCP wrapper functionality is also described.

Document generated on: 2020-02-12 (revision: 9257)

Table of Contents
Preface .............................................................................................................................................. v
1 Configuring a Packet Filtering Firewall ............................................................................................. 1
1.1 About Packet-Filtering Firewalls ............................................................................................ 1
1.2 Firewall Configuration Tools .................................................................................................. 2
1.3 Controlling the Firewall Service ............................................................................................. 3
1.4 About Zones and Services .................................................................................................... 3
1.4.1 Displaying Information About Zones ........................................................................... 3
1.4.2 Displaying Zone Settings ........................................................................................... 4
1.5 Configuring firewalld Zones ................................................................................................... 4
1.5.1 Controlling Access to Services ................................................................................... 4
1.5.2 Controlling Access to Ports ........................................................................................ 5
1.5.3 Assigning a Network Interface to a Zone .................................................................... 5
1.5.4 Changing the Default Zone ........................................................................................ 6
1.5.5 Setting a Default Rule for Controlling Incoming Traffic ................................................. 6
1.5.6 Managing Incoming Traffic Based on Sources ............................................................. 6
1.6 Creating Customized Zones for Firewall Implementation ......................................................... 7
1.6.1 Using the firewall-cmd Command ............................................................................... 7
1.6.2 Using a Zone Configuration File ................................................................................. 8
2 Using the nftables Framework ......................................................................................................... 9
2.1 Converting iptables to nftables .............................................................................................. 9
3 Using TCP Wrappers to Filter Network Traffic ................................................................................ 11
3.1 Configuring TCP Wrappers ................................................................................................. 11

iii
iv
Preface
Oracle® Linux 8: Configuring the Firewall describes how to secure the network by using firewalld
to implement rules that control traffic that flows to and from Oracle Linux 8 systems. Additionally, it also
describes how to use the nftables framework and TCP wrappers to further control network access to
these systems.

Audience
This document is intended for administrators who need to configure and administer Oracle Linux
networking. It is assumed that readers are familiar with web technologies and have a general
understanding of using the Linux operating system, including knowledge of how to use a text editor such
as emacs or vim, essential commands such as cd, chmod, chown, ls, mkdir, mv, ps, pwd, and rm, and
using the man command to view manual pages.

Document Organization
The document is organized into the following chapters:

• Chapter 1, Configuring a Packet Filtering Firewall describes how to use firewalld to configure packet
filtering.

• Chapter 2, Using the nftables Framework describes how to use the nftables framework to control
network traffic.

• Chapter 3, Using TCP Wrappers to Filter Network Traffic describes how to use TCP wrappers to control
network traffic.

Related Documents
The documentation for this product is available at:

Oracle® Linux 8 Documentation

Conventions
The following text conventions are used in this document:

Convention Meaning
boldface Boldface type indicates graphical user interface elements associated with an
action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for which
you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code in
examples, text that appears on the screen, or text that you enter.

Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website
at
https://www.oracle.com/corporate/accessibility/.

v
 Access to Oracle Support

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle
Support. For information, visit
https://www.oracle.com/corporate/accessibility/learning-support.html#support-tab.

vi
Chapter 1 Configuring a Packet Filtering Firewall

Table of Contents
1.1 About Packet-Filtering Firewalls .................................................................................................... 1
1.2 Firewall Configuration Tools .......................................................................................................... 2
1.3 Controlling the Firewall Service ..................................................................................................... 3
1.4 About Zones and Services ............................................................................................................ 3
1.4.1 Displaying Information About Zones ................................................................................... 3
1.4.2 Displaying Zone Settings ................................................................................................... 4
1.5 Configuring firewalld Zones ........................................................................................................... 4
1.5.1 Controlling Access to Services ........................................................................................... 4
1.5.2 Controlling Access to Ports ................................................................................................ 5
1.5.3 Assigning a Network Interface to a Zone ............................................................................ 5
1.5.4 Changing the Default Zone ................................................................................................ 6
1.5.5 Setting a Default Rule for Controlling Incoming Traffic ......................................................... 6
1.5.6 Managing Incoming Traffic Based on Sources ..................................................................... 6
1.6 Creating Customized Zones for Firewall Implementation ................................................................. 7
1.6.1 Using the firewall-cmd Command ....................................................................................... 7
1.6.2 Using a Zone Configuration File ......................................................................................... 8

This chapter describes the concepts, tools, and methods for configuring the firewall by using packet
filtering. It also provides examples for displaying the firewall settings that enforce network security on a
system.

1.1 About Packet-Filtering Firewalls

A firewall filters incoming and outgoing network packets, based on packet header information. You create
packet filter rules that determine whether packets are accepted or rejected. If you create a rule to block
a port, any request to that port is rejected by the firewall and the request is ignored. Any service that is
listening on a blocked port is effectively disabled.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6
packets.

Netfilter consists of two components:

• A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel
uses to control network packet filtering.

• Utilities to create, maintain, and display the rules that netfilter stores. In Oracle Linux 8, the default
firewall utility is the firewall-cmd, which is provided by the firewalld package.

The firewalld-based firewall has the following advantages:

• The firewalld-cmd utility does not restart the firewall and disrupt established TCP connections.

• firewalld supports dynamic zones, which enable you to implement different sets of firewall rules for
systems such as laptops that can connect to networks with different levels of trust. However, this feature
is not typically used on server systems.

• firewalld supports D-Bus for better integration with services that depend on firewall configuration.

1
 Firewall Configuration Tools

1.2 Firewall Configuration Tools

You can configure the firewall by using one of two tools:

• By using the firewall-cmd command and its multiple options.

• By using the Firewall Configuration GUI

To use this tool you must install the firewall-config package first, then launch it by using the same
command as the package name, for example:
# dnf install firewall-config
# firewall-config &

The command opens the configuration tool, as shown in the following figure.

Figure 1.1 Firewall Configuration

• Cockpit is a browser-based configuration tool that you can also use to perform simple firewall
configurations. See https://docs.oracle.com/en/operating-systems/oracle-linux/8/obe-cockpit-network/
index.html.

2
 Controlling the Firewall Service

1.3 Controlling the Firewall Service

In Oracle Linux 8, the firewall service, firewalld, is enabled by default. The service is controlled by the
systemctl command.

To start the service:

# systemctl unmask firewalld
# systemctl start firewalld

To ensure that the service starts automatically when the system starts, run the following command after
starting the firewall:
# systemctl enable firewalld

To stop the firewall service and prevent it from automatically starting when the system starts, run the
following command:
# systemctl stop firewalld
# systemctl disable firewalld

To prevent the firewall service from being started by other services or through the firewalld D-Bus
interface, run the following command after disabling the firewall:
# systemctl mask firewalld

To display the current status of the firewall service:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Fri 2019-08-02 07:28:13 PDT; 32min ago
Docs: man: firewalld(1)
Main PID: 819 (firewalld)
Tasks: 2 (limit: 11526)
CGroup: /system.slice/firewalld.service
|_819 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

1.4 About Zones and Services

Firewall security is implemented through the concepts of zones and services.

Zones are predefined sets of filtering rules that correspond to levels of trust for network access. You can
add to the default filtering rules of a zone by reconfiguring the zone's settings and therefore refine the
zone's control of traffic flow. When you install Oracle Linux, a default zone called public is automatically
assigned to the system.

Firewall rules are applied through services that are assigned to a zone. The service ports are the access
points of network traffic. Services assigned to a zone automatically have their ports opened to receive and
send network packets.

For more information about zones and firewall-related services, see the firewalld.zone(5) and the
firewalld.services(5) manual pages.

1.4.1 Displaying Information About Zones

When you configure the firewall for zones, displaying the current zone and service settings and other
information as part of the configuration steps is a good practice. With this approach you can monitor the
changes you are introducing to the firewall and identify potential errors that would make your changes
invalid.

3
 Displaying Zone Settings

To display the system's default zone, run the following command:

# firewall-cmd --get-default
public

List all the predefined zones that are included in the installation as follows:
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

You can configure any zone in the list. As you make changes to a particular zone, that zone becomes an
active zone. To identify the active zone, type the following:
# firewall-cmd --get-active-zone

Note

By default, all of the configurations are implemented on the default zone. Note also
that an active zone is not necessarily the default zone. Therefore, you must specify
the zone name in the command to define settings for that specific zone. Otherwise,
the definitions will be applied to the default zone.

1.4.2 Displaying Zone Settings

To obtain the settings of a zone:
# firewall-cmd --list-all [--zone=zonename]

Without specifying a zone, the command displays the settings of the default zone. Thus, if you want to list
the settings of the work zone, you would use the following command;
# firewall-cmd --list-all --zone=work
work
target: default
icmp-clock-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

1.5 Configuring firewalld Zones

The following tasks describe how to use the firewall-cmd command to configure firewall rules for a
zone. The rules are then recorded in the /etc/firewalld hierarchy for firewalld.

Configuring the firewall means setting all or some of a zone settings to specific values to enable the firewall
to control network traffic according to your specifications.

1.5.1 Controlling Access to Services

Setting the services of a zone is the simplest way to configure the firewall. Each zone has predefined
services assigned to it. To configure this setting further, you either add services to the zone or remove
services from the zone.

To list predefined services, use the firewall-cmd --list-services command.

4
 Controlling Access to Ports

For example, the following command shows that the work zone has the cockpit, dhcpv6-client,
mdns, samba-client, and ssh services assigned to it:
# firewall-cmd --list-services --zone=work
cockpit dhcpv6-client mdns samba-client ssh
...

To allow access to a new service, use the --add-service service option. Include the --permanent
option to make the rule persistent across reboots.

For example, to add the HTTP and NFS services to the work zone, you would use the following command:
# firewall-cmd [--permanent] --zone=work --add-service=http --add-service=nfs
success
# firewall-cmd --list-services --zone=work
cockpit dhcpv6-client mdns samba-client ssh http nfs

To remove access to a service, use the --remove-service service option:

# firewall-cmd [--permanent] --zone=work --remove-service=samba-client
success
# firewall-cmd --list-services --zone=work
cockpit dhcpv6-client mdns ssh http nfs

1.5.2 Controlling Access to Ports

Network traffic through the zone's services uses the ports of those services. Ports should be opened to
accept traffic. You can open additional ports for network access by specifying the port number and the
associated protocol.

The --list-ports option lists the ports and associated protocols to which you have explicitly allowed
access. However, ports that have been opened as a service are not included in this command's output.
Therefore, when listing ports, the best practice is to use the --list-all option to obtain more complete
information.

Use the --add-port option to allow access to specific ports. Ports must be specified by using the format
port-number/port-type. Port types can be tcp, udp, sctp, or dccp. Ensure that the type and the
network traffic match, for example:
# firewall-cmd [--permanent] --zone=work --add-port=5353/udp --add-port=3689/tcp
success
# firewall-cmd --list-all --zone=work
work
target: default
icmp-clock-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns ssh http nfs
ports: 5353/udp 3689/tcp
...

Similarly, the --remove-port option removes access to a port. Remember to use the --permanent
option if you want to make the change persist.

For more information, see the firewall-cmd(1) manual page.

1.5.3 Assigning a Network Interface to a Zone

A system's network interface is automatically assigned to the default zone. In Oracle Linux, you can
configure multiple zones with their specific services, ports, and so on. You then activate a specific zone's

5
 Changing the Default Zone

rules to become operative by assigning the interface to that zone. Thus, you have the flexibility to easily
change the firewall rules that are active on the system simply by reassigning the network interface.

Suppose that you want to activate the firewall configuration of the work zone. You would assign the
interface to the zone as follows:
# firewall-cmd --zone=work --change-interface=enp0s1
success
# firewall-cmd --get-active-zone
work
interfaces: enp0s1

Note

You do not need to use the --permanent option to make the setting persist across
reboots. If you set the zone to be the default zone, as explained in Section 1.5.4,
“Changing the Default Zone”, then the interface reassignment becomes permanent.

1.5.4 Changing the Default Zone

You can change a system's default zone as follows:
# firewall-cmd --get-default-zone
public
# firewall-cmd --set-default-zone=work
success
# firewall-cmd --get-default-zone
work

To display the entire and final results of your configuration:

# firewall-cmd --zone=work --list-all
work (active)
target: default
interfaces: enp0s1
sources:
services: cockpit dhcpv6-client mdns ssh http nfs
ports: 5353/udp 3689/tcp
...

1.5.5 Setting a Default Rule for Controlling Incoming Traffic

The target setting establishes the default behavior of the firewall when managing incoming traffic. This
zone setting is automatically configured to default for all the predefined zones. To change the default
behavior of a zone, use the following command;
# firewall-cmd --zone=zone-name --set-target=ACCEPT|REJECT|DROP

You can specify the following options:

• ACCEPT allows all incoming traffic except those you have set to be rejected in another rule.

• REJECT blocks all incoming traffic except those you have allowed in another rule. The source machine is
informed about the rejecion.

• DROP is similar to REJECT but no notice of the rejection is sent to the source machine.

1.5.6 Managing Incoming Traffic Based on Sources

You can manage incoming traffic to a zone based on the traffic source. The two following two zone settings
enable you to specify the origin of the packets:

6
 Creating Customized Zones for Firewall Implementation

• source identifies the sending node or network.

• source-ports identifies the port from which traffic originates.

To allow incoming traffic from a sending node, use the following command:
# firewall-cmd --zone=zone-name --add-source=IP-address
# firewall-cmd --runtime-to-permanent

Note that the IP address can include the netmask in CIDR notation, such as 192.0.2.0/24.

In the example, the second command makes the setting permanent. Omit this command if you are setting
a temporary configuration that will be dropped if the system is rebooted.

The following similar syntax is used to set the source-port setting. However, you identify the source port
by specifying the sending port number and the protocol type, for example:
# firewall-cmd --zone=zone-name --add-source-ports=port-number/tcp|udp|sctp|dccp

You can combine different settings to configure the firewall. Specifically, the trusted zone can be
configured to accept HTTP traffic from the 192.0.2.0 network source, as shown in the following example:
# firewall-cmd --zone=trusted --add-source=192.0.2.0/24
# firewall-cmd --zone=trusted --add-service=http
# firewall-cmd --zone=trusted --list-all
trusted (active)
target: ACCEPT
sources: 192.0.2.0/24
services: http

1.6 Creating Customized Zones for Firewall Implementation

You can create zones and then configure the zone's settings for a customized firewall protection.

1.6.1 Using the firewall-cmd Command

As shown in the following example, you can use the firewall-cmd command-line interface (CLI) to
create an empty zone, which means that no default services are assigned. When configuring a customized
zone, you must always include the --permanent option in the command. Otherwise, an error message is
generated.
# firewall-cmd --permanent --new-zone=testzone
# firewall-cmd --permanent --get-zones
block dmz drop external home internal testzone public trusted work
# firewall-cmd --permanent --info-zone=testzone
testzone
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Without the --permanent option, the --get-zones option does not display the created zone.

The --info-zone=zone-name option generates the same output as the --list-all option.

7
 Using a Zone Configuration File

To make this zone creation persistent, add the following command:

# firewall-cmd --runtime-to-permanent

After creating the zone, you can add services, ports, assign interfaces, and so on, by using the command
options that are provided in the previous examples:
# firewall-cmd --zone=testzone --add-service=http
Error: INVALID ZONE: testzone
# firewall-cmd --permanent --zone=testzone --add-service=http
success

Ensure that you use the --permanent option when using all of these commands.

1.6.2 Using a Zone Configuration File

All zones have corresponding configuration files. For the predefined zones that are installed with the
operating system, the configuration files are in the /usr/lib/firewalld/zones directory.

When you configure a predefined zone, the configuration file is copied to the /etc/firewalld/zones
directory and the changes are stored in that location. If you use a configuration file to create new zones,
you must also use /etc/firewalld/zones as the working directory.

If you are creating a zone with only minor differences from the settings of predefined zones, copying
an existing configuration file to the working directory is the easiest approach. You can use either of the
following commands:
# cp /etc/firewalld/zones/existing-conf-file.xml new-zone.xml

# cp /usr/lib/firewalld/zones/existing-conf-file.xml /etc/firewalld/zones/new-zone.xml

Then, using a text editor, revise the settings in the new configuration file. The following example shows
what the configuration file of testzone might contain. Specifically, testzone accepts traffic for one
service (SSH) and one port range for the TCP and UDP protocols:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>testzone</short>
<description>Put description here</description
<service name="ssh"/>
<port port="1025-65535" protocol="tcp"/>
<port port="1025-65535" protocol="udp"/>
</zone>

8
Chapter 2 Using the nftables Framework

Table of Contents
2.1 Converting iptables to nftables ...................................................................................................... 9

This chapter describes how to convert iptables and ip6tables to the nftables framework.

The nftables framework is the default network packet filtering framework in Oracle Linux and replaces
the iptables framework. The nftables framework includes packet classification facilities, added
convenience, and improved performance over the iptables framework that was used in previous
releases. For more information, see the Oracle® Linux 8: Release Notes for Oracle Linux 8 for more
details.

2.1 Converting iptables to nftables

If you query the system's iptables version, Oracle Linux 8 would clearly indicate that nftables is used
as the packet filtering framework:
# iptables --version
iptables v1.8.2 (nf_tables)

Otherwise, the output would be similar to the following example:

# iptables --version
iptables version (legacy)

Utilities are available to convert filter rules in iptables and ip6tables to their equivalents in the
nftables framework. Choose from one of the following ways.

• Use the iptables-translate or ip6tables-translate commands, depending on the type of

tables you want to convert. If a rule cannot be translated due to an unsupported extension in the rule, the
command prints the untranslated rule preceded by the # sign.
# iptables-translate -A INPUT -j CHECKSUM --checksum-fill
nft # -A INPUT -j CHECKSUM --checksum-fill

• Save the rules to a dump file, then use the iptables-restore-translate or ip6tables-
restore-translate command, depending on the type of tables you want to convert.
# iptables-save > /tmp/iptables.dump
# iptables-restore-translate -f /tmp/iptables.dump
translated-rules

9
10
Chapter 3 Using TCP Wrappers to Filter Network Traffic

Table of Contents
3.1 Configuring TCP Wrappers ......................................................................................................... 11

This chapter describes how to control incoming network traffic by using TCP wrappers.

3.1 Configuring TCP Wrappers

TCP wrappers provide basic filtering of incoming network traffic. You can allow or deny access from other
systems to certain wrapped network services running on a Linux server. A wrapped network service is one
that has been compiled against the libwrap.a library. You can use the ldd command to determine if a
network service has been wrapped, as shown in the following example for the sshd daemon:
# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f877de07000)

When a remote client attempts to connect to a network service on the system, the wrapper consults the
rules in the configuration files /etc/hosts.allow and /etc/hosts.deny files to determine if access is
permitted.

The wrapper for a service first reads /etc/hosts.allow from top to bottom. If the daemon and client
combination matches an entry in the file, access is allowed. If the wrapper does not find a match in /etc/
hosts.allow, it reads /etc/hosts.deny from top to bottom. If the daemon and client combination
matches and entry in the file, access is denied. If no rules for the daemon and client combination are found
in either file, or if neither file exists, access to the service is allowed.

The wrapper first applies the rules that are specified in /etc/hosts.allow, so these rules take
precedence over the rules specified in /etc/hosts.deny. If a rule that is defined in /etc/
hosts.allow permits access to a service, any rule in /etc/hosts.deny that forbids access to the
same service is ignored.

The rules take the following form:

daemon_list : client_list [: command] [: deny]

where daemon_list and client_list are comma-separated lists of daemons and clients, and
the optional command is run when a client tries to access a daemon. You can use the keyword ALL to
represent all daemons or all clients. Subnets can be represented by using the * wildcard, for example
192.168.2.*. Domains can be represented by prefixing the domain name with a period (.), for example
.mydomain.com. The optional deny keyword causes a connection to be denied even for rules specified in
the /etc/hosts.allow file.

The following are some sample rules:

• Match all of the clients for scp, sftp, and ssh access (sshd).
sshd : ALL

• Match all clients on the 192.168.2 subnet for FTP access (vsftpd).
vsftpd : 192.168.2.*

• Match all clients in the mydomain.com domain for access to all wrapped services.

11
 Configuring TCP Wrappers

ALL : .mydomain.com

• Match all clients for FTP access, and displays the contents of the banner file /etc/banners/vsftpd
(the banner file must have the same name as the daemon).
vsftpd : ALL : banners /etc/banners/

• Match all clients on the 200.182.68 subnet for all wrapped services, and logs all such events. The %c
and %d tokens are expanded to the names of the client and the daemon.
ALL : 200.182.68.* : spawn /usr/bin/echo `date` “Attempt by %c to connect to %d" >> /var/log/tcpwr.log

• Match all clients for scp, sftp, and ssh access, and logs the event as an emerg message, which is
displayed on the console.
sshd : ALL : severity emerg

• Match all clients in the forbid.com domain for scp, sftp, and ssh access, logs the event, and deny
access (even if the rule appears in /etc/hosts.allow).
sshd : .forbid.com : spawn /usr/bin/echo `date` "sshd access denied for %c" >>/var/log/sshd.log : deny

For more information, see the hosts_access(5) manual page.

12