The next example permits tftp requests from hosts in the local domain (notice the leading dot). Requests from any other hosts are denied. Instead of the requested file, a finger probe is sent to the offending host. The result is mailed to the superuser.
in.tftpd: LOCAL, .my.domain
in.tftpd: ALL: (/some/where/safe_finger -l @%h | \
/usr/ucb/mail -s %d-%h root) &
The safe_finger command is intended for use in back-fingering and should be installed in a suitable place. It limits possible damage from data sent by the remote finger server. It gives better protection than the standard finger command.
The expansion of the %h (client host) and %d (service name) sequences is described in the section on shell commands.
Warning: do not booby-trap your finger daemon, unless you are prepared for infinite finger loops.
On network firewall systems this trick can be carried even further. The typical network firewall only provides a limited set of services to the outer world. All other services can be "bugged" just like the above tftp example. The result is an excellent early-warning system.
An error is reported when a syntax error is found in a host access control rule; when the length of an access control rule exceeds the capacity of an internal buffer; when an access control rule is not terminated by a newline character; when the result of %<letter> expansion would overflow an internal buffer; when a system call fails that shouldn't. All problems are reported via the syslog daemon.
Some operating systems are distributed with TCP Wrappers as part of the base system. It is common for such systems to build wrapping functionality into networking utilities. Notably, some systems offer an inetd(8) which does not require the use of the tcpd(8). Check your systems documentation for details.
/etc/hosts.allow, (daemon,client) pairs that are granted access.
/etc/hosts.deny, (daemon,client) pairs that are denied access.
tcpd(8) tcp/ip daemon wrapper program.tcpdchk(8), tcpdmatch(8), test programs.