Index: etc/hosts.allow =================================================================== --- etc/hosts.allow (revision 262438) +++ etc/hosts.allow (working copy) @@ -60,6 +60,7 @@ exim : localhost : allow exim : ALL : allow # Rpcbind is used for all RPC services; protect your NFS! +# Rpcbind should be running with -t option to support this. # (IP addresses rather than hostnames *MUST* be used here) #rpcbind : 192.0.2.32/255.255.255.224 : allow #rpcbind : 192.0.2.96/255.255.255.224 : allow Index: usr.sbin/rpcbind/rpcbind.8 =================================================================== --- usr.sbin/rpcbind/rpcbind.8 (revision 262438) +++ usr.sbin/rpcbind/rpcbind.8 (working copy) @@ -2,7 +2,7 @@ .\" Copyright 1989 AT&T .\" Copyright 1991 Sun Microsystems, Inc. .\" $FreeBSD$ -.Dd April 23, 2007 +.Dd February 24, 2014 .Dt RPCBIND 8 .Os .Sh NAME @@ -133,6 +133,8 @@ to use non-privileged ports for outgoing connectio clients from using .Nm to connect to services from a privileged port. +.It Fl t +Enable TCP Wrappers support. .El .Sh NOTES All RPC servers must be restarted if Index: usr.sbin/rpcbind/rpcbind.c =================================================================== --- usr.sbin/rpcbind/rpcbind.c (revision 262438) +++ usr.sbin/rpcbind/rpcbind.c (working copy) @@ -88,6 +88,9 @@ rpcblist_ptr list_rbl; /* A list of version 3/4 rp int runasdaemon = 0; int insecure = 0; int oldstyle_local = 0; +#ifdef LIBWRAP +int libwrap = 0; +#endif int verboselog = 0; char **hosts = NULL; @@ -785,7 +788,7 @@ parseargs(int argc, char *argv[]) #else #define WSOP "" #endif - while ((c = getopt(argc, argv, "6adh:iLls" WSOP)) != -1) { + while ((c = getopt(argc, argv, "6adh:iLlst" WSOP)) != -1) { switch (c) { case '6': ipv6_only = 1; @@ -818,6 +821,11 @@ parseargs(int argc, char *argv[]) case 's': runasdaemon = 1; break; +#ifdef LIBWRAP + case 't': + libwrap = 1; + break; +#endif #ifdef WARMSTART case 'w': warmstart = 1; Index: usr.sbin/rpcbind/rpcbind.h =================================================================== --- usr.sbin/rpcbind/rpcbind.h (revision 262438) +++ usr.sbin/rpcbind/rpcbind.h (working copy) @@ -66,6 +66,9 @@ struct r_rmtcall_args { extern int debugging; extern int doabort; +#ifdef LIBWRAP +extern int libwrap; +#endif extern int verboselog; extern int insecure; extern int oldstyle_local; Index: usr.sbin/rpcbind/security.c =================================================================== --- usr.sbin/rpcbind/security.c (revision 262438) +++ usr.sbin/rpcbind/security.c (working copy) @@ -108,13 +108,15 @@ check_access(SVCXPRT *xprt, rpcproc_t proc, void * } #ifdef LIBWRAP - if (addr->sa_family == AF_LOCAL) - return 1; - request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0); - sock_methods(&req); - if(!hosts_access(&req)) { - logit(deny_severity, addr, proc, prog, ": request from unauthorized host"); - return 0; + if (libwrap && addr->sa_family != AF_LOCAL) { + request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, + 0); + sock_methods(&req); + if(!hosts_access(&req)) { + logit(deny_severity, addr, proc, prog, + ": request from unauthorized host"); + return 0; + } } #endif if (verboselog)