-> > Thanks for the comments, But would wrapping Apache do any good? AFAIK -> > wrapping works only when daemon starts and Apache is sort of always on? -> -> I would not suggest running a web server from inetd. If the web server -> persists after the first connection, that is fine, but you are correct in -> that this behavior excludes using tcpd. It does not exclude having libwrap -> built in to the daemon and I'm not sure if apache is built with this -> support.
damn, you both didn't read it carefully... >> That's not necessarily true. A lot of standalone daemons are, or can be, >> compiled with libwrap so as to have this functionality built-in. iirc, apache can be built with libwrap support which means, uses hosts.allow and hosts.deny to decide wqhether to run or not; -> The libwrap code starts when there is a connection to the port and the -> program handsoff the info to libwrap. It _then_ opens the -> /etc/hosts.{allow,deny} files in order to check the validity of the -> connection. -> -> /usr/sbin/tcpd however, is passed the actual connection and it checks the -> validity. If it's ok then it passes the connection off to the daemon. nope; you MUST accept() the connection and THEN you can getpeername() and do hosts.allow/deny searching; btw, tcpd doesn't accept(); it's inetd who does and passes the socket to tcpd as stdin/stdout -- Matus "fantomas" Uhlar, sysadmin at Telenor Internet Kosice, Slovakia BIC coord for *.sk; admin of netlab.irc.sk; co-admin of irc.felk.cvut.cz ... and Bill Gates' dick is soft not to do any harm ...