On Sun, Feb 11, 2001 at 12:06:00PM -0800, Daniel Parks wrote:
> At 11:33 AM -0800 2/11/2001, Roger Fischer wrote:
> >Hmmm, after the previous discussions about TCP Wrappers, maybe
> >the etc.tgz set should contain skeleton /etc/hosts.allow and
> >/etc/hosts.deny files that contain some comments and no entries?
> >
> >comments?
> 
> Do you know if it's the new style where you can put DENY or ACCEPT at 
> the end of the line so that you can have all your rules in one file?

Yes, though this isn't documented anywhere AFAIK.  In the normal
tcp-wrapper distribution, this functionality is enabled using the
compile-time option -DPROCESS_OPTIONS.  The compile-time options used
for NetBSD are given in /usr/src/lib/libwrap/Makefile.cflags; here's
the list from NetBSD 1.5:

CPPFLAGS+=-DFACILITY=LOG_AUTHPRIV -DSEVERITY=LOG_INFO
CPPFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" -DHOSTS_ACCESS -DDAEMON_UMASK=022
CPPFLAGS+=-DRFC931_TIMEOUT=10 -DALWAYS_HOSTNAME -DSYS_ERRLIST_DEFINED
CPPFLAGS+=-DHOSTS_ALLOW=\"/etc/hosts.allow\" -DHOSTS_DENY=\"/etc/hosts.deny\"
CPPFLAGS+=-DPROCESS_OPTIONS -DNETGROUP
CPPFLAGS+=-Dss_family=__ss_family -Dss_len=__ss_len

> I noticed that the man pages for hosts.allow talk about the old 
> style

That's normal.  The extended hosts.allow format is documented in
hosts_options(5).  Note, however, that in general (ie, on any given
Unix system) the presence of this manpage doesn't mean that the
extended syntax is supported.  The only way to tell is to check the
compile-time options used (or try it and see).

Actually, I take back my first sentence above.  The 3rd paragraph in
hosts.allow(5) reads:

       Also note that libwrap under NetBSD uses the extensions to
       the   access   control   language   as  described  in  the
       hosts_options(5).

So NetBSD *does* properly document this. :)

John