TCP Wrapper

此條目目前正依照en:TCP Wrapper上的内容进行翻译。 (2014年9月11日) 如果您擅长翻译，並清楚本條目的領域，欢迎协助翻譯、改善或校对本條目。 此外，长期闲置、未翻譯或影響閱讀的内容可能会被移除。目前的翻译进度为： 0%

TCP Wrapper是一个基于主机的网络访问控制表系统，用于过滤（英语：Filter (software)）对类Unix系统（如Linux或BSD）的网络访问。其能将主机或子网IP地址、名称及ident（英语：ident protocol）查询回复作为筛选标记，实现访问控制。

原始代码是1990年左右由荷兰人Wietse Venema编写的，目的是监视埃因霍温理工大学数学和计算机科学系的Unix工作站上的黑客行动。^[1]Wietse Venema一直维护这个程序到1995年；2001年6月1日，在其自己的BSD风格的许可证下发布。

The tarball includes a library named libwrap that implements the actual functionality. Initially, only services that were spawned for each connection from a super-server (such as inetd) got wrapped, utilizing the tcpd program. However most common network service daemons today can be linked against libwrap directly. This is used by daemons that operate without being spawned from a super-server, or when a single process handles multiple connections. Otherwise, only the first connection attempt would get checked against its ACLs.

When compared to host access control directives often found in daemons' configuration files, TCP Wrappers have the benefit of runtime ACL reconfiguration (i.e., services don't have to be reloaded or restarted) and a generic approach to network administration.

This makes it easy to use for anti-Worm scripts, such as DenyHosts or Fail2ban, to add and expire client-blocking rules, when excessive connections and/or many failed login attempts are encountered.

While originally written to protect TCP and UDP accepting services, examples of usage to filter on certain ICMP packets exist too, such as 'pingd' – the userspace ping request responder.^[2]

1999年1月，软件在艾恩德霍芬技术大学的分发包被修改后的版本替换，其包含一个被木马感染的软件版本，入侵者可以访问安装了此版本软件的任何一个服务器。作者在几个小时内发现了这个问题，此后他将主分发站点改为其个人网站^[3][4][5][6]。

• DNSBL（英语：DNSBL）
• FCrDNS（英语：Forward-confirmed reverse DNS）
• 防火墙
• IP封锁
• Nullroute（英语：Nullroute）

• Softpanorama TCP Wrappers Information
• A laymans guide to TCP Wrappers and its history
• Howto on tcp wrapper