TCP Wrappers
Controls and/or logs TCP services that get started from inetd
Portmapped ports have to be dealt with differently
Persistent services also can’t be protected this way
Blocking all unknown addresses can be inconvenient e.g for people going to conferences or other institutions
Have one relatively secure host that accepts from anywhere, tell your users to go via that
Notes:
TCP Wrappers are only effective with those TCP services that are started by the inetd daemon each time that they are requested.
Ports that are serviced by portmapping/rpcbind have to be handled differently
It is ineffective for any services that remain listening all the time.
Blocking services to all unknown addresses can prove inconvenient to your users when they are in unexpected places, at conferences or visiting other campuses.
You might want to have one relatively secure host that accepts logons etc. from anywhere (and presumably logs them reliably in order to trace any abuse), and allow your less-secure experimental systems to only be logged on to from local addresses. They’d have to “stage” their logons when necessary.