[1.7] Updated: {tcp_wrappers/libwrap0/libwrap-devel}-7.6-20

Charles Wilson cygwin@cwilson.fastmail.fm
Mon Mar 30 07:37:00 GMT 2009

tcp_wrappers provides host-based access restrictions on tcp services:
facilities for monitoring and filtering incoming requests for the SSHD,
network services.

The package provides a tiny daemon wrapper program that can be installed
without any changes to existing software or to existing configuration
files.  The wrappers report the name of the client host and of the
requested service; the wrappers do not exchange information with the
client or server applications, and impose no overhead on the actual
conversation between the client and server applications.

This is a bugfix release: corrects failure to access from localhost
to services on localhost, when cygwin-1.7+Vista.

[[ compiled using gcc-3.4.4-999 ]]

This release is specific for cygwin-1.7. It differs significantly from the
simultaneously-released tcp_wrappers-7.6-6 for cygwin-1.5. In addition to
the usual (trivial) documentation differences, this cygwin-1.7-specific
package supports IPv6, while the cygwin-1.5 package does not.

Because of this, the /etc/defaults/etc/hosts.allow files also differ;
the cygwin-1.5 version can not include the IPv6 localhost specification.

(cygwin-1.7) ALL : localhost [::1]/128 : ALLOW
(cygwin-1.5) ALL : localhost : ALLOW

CHANGES (since 7.6-5)
o Fork for cygwin-1.7 development (actually, this occured with
o Updated to latest debian patchset (r16 v. r15)
o Added the following line to the default /etc/hosts.allow
  *before* the PARANOID entry:
      ALL : localhost [::1]/128 : ALLOW
  This is required on cygwin-1.7+Vista, because
  + With Vista, you cannot disable IPv6 with regards to the
    loopback interface
  + IPv6 lookups for ::1 resolve to <COMPUTER NAME>, not
  + But DNS lookups for <COMPUTER NAME> resolve to your
    assigned IP, not ::1 (or
  + This causes the PARANOID rule to reject the connection
  + Thus, with cygwin-1.7+Vista, you can't (e.g.) 'ssh localhost'
  + Unless you add a rule such as above to hosts.allow.
  Note that this rule does no harm on non-Vista versions of windows
  (although the cygwin-1.5 libwrap0 doesn't understand [::1] IPv6
  notation). The rule is also not a security hole, because incoming
  connections are always identified by an IP address that is NOT nor [::1] (the internet refuses to route those IPs).
  So, these numeric addresses can never be spoofed, so it's okay
  to allow them.
o Updated hint files

A reminder for package maintainers and developers:

        STRONGSYMS: the cygwin versions of cygwrap-0.dll AND libwrap.a
        (that is, both the DLL and static library) explicitly provide
            int deny_severity
            int allow_severity
        symbols.  This means that clients must NOT define their own
        versions of these symbols, as is the practice on *nix systems.
        Instead, clients should rely on the /declaration/ provided in
            extern int deny_severity;
            extern int allow_severity;
        This may require code changes in clients that link against
        libwrap, but it was a necessary API change to enable DLL
        builds on cygwin. 

Charles Wilson
volunteer tcp_wrappers maintainer for cygwin


To update your installation, click on the "Install Cygwin now" link
on the http://cygwin.com/ web page.  This downloads setup.exe to
your system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is
available starting at this URL.

More information about the Cygwin-announce mailing list