Enable TCP_WRAPPERs for the NIS server. The protection afforded is

not massive, but usable.

2 files changed, 10 insertions, 1 deletions

diff --git a/etc/hosts.allow b/etc/hosts.allow
index f4e1353..e24f0c2 100644
--- a/etc/hosts.allow
+++ b/etc/hosts.allow
@@ -63,6 +63,12 @@ rpcbind : 192.0.2.32/255.255.255.224 : allow
 rpcbind : 192.0.2.96/255.255.255.224 : allow
 rpcbind : ALL : deny
 
+# NIS master server. Only local nets should have access
+ypserv : localhost : allow
+ypserv : .unsafe.my.net.example.com : deny
+ypserv : .my.net.example.com : allow
+ypserv : ALL : deny
+
 # Provide a small amount of protection for ftpd
 ftpd : localhost : allow
 ftpd : .nice.guy.example.com : allow
diff --git a/usr.sbin/ypserv/Makefile b/usr.sbin/ypserv/Makefile
index 214b995..30c3f3f 100644
--- a/usr.sbin/ypserv/Makefile
+++ b/usr.sbin/ypserv/Makefile
@@ -8,7 +8,10 @@ MAN=	ypserv.8 ypinit.8
 SRCS=	yp_svc.c yp_server.c yp_dblookup.c yp_dnslookup.c \
 	ypxfr_clnt.c yp.h yp_main.c yp_error.c yp_access.c yp_svc_udp.c
 
-CFLAGS+= -I. -DDB_CACHE
+DPADD=	${LIBWRAP}
+LDADD=	-lwrap
+
+CFLAGS+= -I. -DDB_CACHE -DTCP_WRAPPER
 
 CLEANFILES= yp_svc.c ypxfr_clnt.c yp.h