Slide 12 of 21
Notes:
TCP Wrappers are only effective with those TCP services that are started by the inetd daemon each time that they are requested.
Ports that are serviced by portmapping/rpcbind have to be handled differently
It is ineffective for any services that remain listening all the time.
Blocking services to all unknown addresses can prove inconvenient to your users when they are in unexpected places, at conferences or visiting other campuses.
You might want to have one relatively secure host that accepts logons etc. from anywhere (and presumably logs them reliably in order to trace any abuse), and allow your less-secure experimental systems to only be logged on to from local addresses. Theyd have to stage their logons when necessary.