Client-Host Access Control Through TCP Wrapping

You can control the host or IP address from which connections are accepted or rejected at the TCP level using TCP wrappers. You can limit client-host access through TCP wrapping. This enables you to have non host-based protection for initial TCP connections to a Directory Server.

Although you can set TCP wrapping for Directory Server, TCP wrapping can result in significant performance degradation, especially during a Denial of Service attack. The best performance is achieved by using a host-based firewall that is maintained outside Directory Server, or IP port filtering.

To Enable TCP Wrapping

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

1. Create a hosts.allow file or a hosts.denyfile, somewhere within the instance path.

   For example, create the file in instance-path/config. Ensure that the formatting of the files that you create comply with hosts_access(4).

2. Set the path to the access file.

   $ dsconf set-server-prop -h host -p port host-access-dir-path:path-to-file

   For example:

   $ dsconf set-server-prop -h host -p port host-access-dir-path:/local/ds1/config "host-access-dir-path" property has been set to "/local/ds1/config". The "/local/ds1/config" directory on host1 must contain valid hosts.allow and/or hosts.deny files. Directory Server must be restarted for changes to take effect.

To Disable TCP Wrapping

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

1. Set the host access path to "".

   $ dsconf set-server-prop -h host -p port host-access-dir-path:""