dante   Frontpage - Dante - Download - Status - Support - Modules - Docs - Links - Survey - GDPR

Integration with libwrap

This page describes how some of the functionality in libwrap can be used with Dante.


The libwrap library provides a wide range of operations such as access control and running of arbitrary commands in case of specified events. Use of the rfc931/identd functionality in Dante is covered in the RFC 931 Authentication page. This page looks at access control and execution of external commands.

Environment setup

The libwrap library must be installed and compiled into for this functionality to be available. The /etc/hosts.allow and /etc/hosts.deny configuration files can be used but are not necessary.

Server privileges

#server identities (not needed on Solaris)
user.libwrap: libwrap

No special privileges are required to use libwrap. The server should however specify a separate username with the user.libwrap keyword if the server is started as root (this is not necessary on Solaris).

Access control

The Dante server can be configured to use the libwrap /etc/hosts.allow and /etc/hosts.deny files for access control in addition to the client pass/deny rules in the Dante configuration file. The primary reason for wanting to do this would typically be to be able to use an existing set of access control files or to share the access control rules with other servers that support libwrap. The name to use for the Dante server in the libwrap configuration files is sockd.

#enable libwrap /etc/hosts.allow and /etc/hosts.deny access control
libwrap.hosts_access: yes

By default, the Dante server will not perform this type of lookup, but it can be enabled using the libwrap.hosts_access keyword as shown above. When enabled, the Dante server will check with libwrap before applying the client pass/deny rules; the libwrap access rules can be seen as a filter before Dante. If libwrap indicates that a packet or connection should be denied, it will be dropped and no further processing will be done by Dante. If libwrap indicates that a packet or connection should be allowed, the normal Dante rule processing will be applied, resulting in the connection or packet either being dropped or forwarded.

Running libwrap commands

The libwrap library also supports execution of commands, described in the libwrap hosts_options(5) manual page. Some of these commands can be used in the Dante rules, allowing them to be executed upon a rule being matched.

#match clients from
client pass {
        from: to: eth0 port = http
        bounce to: www.example.org port = http
        log: error # connect disconnect iooperation 
        #special log message in case of rule match
        libwrap: spawn logger -t '%d[%p]' 'pass to webserver from %c'
        protocol: tcp

#all other clients
client pass {
        from: to: eth0 port = http
        bounce to: www.example.org port = http
        log: error # connect disconnect iooperation 
        protocol: tcp

One possible usage is to run an external command each time a rule matches. The example above has libwrap run the command logger, in order to add an additional log message with information on the client (hostname or IP-address) when clients connect from the network Note that stdin/stdout/stderr are by default redirected to /dev/null by libwrap, so if the output of the command is desired, it must be piped to some other command or redirected to a file.

The banner command will result in the banner contents being transmitted to the client before the SOCKS request respons, and is for this reason unlikely to work in any useful way.

Command support

The following libwrap commands are supported:

  • spawn

These commands will not work with Dante or will likely not result in correct behavior because the Dante processes is designed to relay data for multiple clients:

  • twist, keepalive, linger, nice, setenv, umask, user, banner

The functionality of the rfc931 command is available via the rfc931 authentication method.

Copyright © 1998-2023 Inferno Nettverk A/S