Replacing TCP Wrappers in RHEL 8 and 9

Environment

• Red Hat Enterprise Linux 8 and 9
• firewalld
• systemd

Issue

• How do I set up access restrictions instead of TCP Wrappers?
• Do /etc/hosts.allow and /etc/hosts.deny have any use in RHEL 8?
• /etc/hosts.allow and /etc/hosts.deny are present on RHEL 8 Beta system. They are in the setup-2.12.2-1.el8.noarch RPM. What is the purpose now when tcp_wrappers is no longer available?
• How can I use the deprecated and removed tcp_wrappers in RHEL 8?

Resolution

firewalld can be used as a firewall level replacement for TCP Wrappers.

This example allows SSH for the 10.1.1.0/24 network and blocks it for all others.

firewalld

firewalld operates at the firewall layer and can be used to restrict access to a given service. One approach is to create a new firewall zone for the 10.1.1.0/24 network and enable SSH in the new zone.

1. firewalld enables SSH in the default (public) zone by default. First needs to be removed from the default zone:

# firewall-cmd --permanent --remove-service=ssh

2. Create the new zone:

# firewall-cmd --permanent --new-zone=mysshzone

3. Add the SSH service and the network to the zone.

# firewall-cmd --permanent --zone=mysshzone --add-source=10.1.1.0/24
# firewall-cmd --permanent --zone=mysshzone --add-service=ssh

4. Then, reload the firewall to make the new configuration active.

# firewall-cmd --reload

systemd

systemd provides per-unit IP address allow/deny filtering. It works with cgroup v2.
For details, see How to allow specific IP addresses or networks to access the systemd managed services

Root Cause

TCP Wrappers has been marked as deprecated since 2017:

• RHEL 7.4 Release Notes - Deprecated Functionality
  "tcp_wrappers deprecated"

Further information is given in the upstream Fedora change to remove the feature:

• Content from fedoraproject.org is not included.Fedora 28 - Changes - Deprecate TCP wrappers

Red Hat Bug 1663556 - /etc/hosts.allow and /etc/hosts.deny files contain extremely inaccurate information was been filed to address these files in RHEL 8.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.