Server Migration Center:What do I do if the "TCP Wrappers configuration affects" error appears during SMC migration?

Background

TCP Wrappers provided application-level access control through two configuration files:

• /etc/hosts.deny -- defines which hosts are blocked from connecting.

• /etc/hosts.allow -- defines which hosts are allowed to connect.

In Anolis OS 8, TCP Wrappers is removed. firewalld replaces it by filtering traffic at the network level through zones. Each zone defines a trust level for a group of source IP addresses and controls which services (such as SSH) are accessible.

The following table maps common TCP Wrappers patterns to their firewalld equivalents:

The following procedure replaces TCP Wrappers SSH restrictions with firewalld, using this example configuration:

Content of /etc/hosts.deny:

#
# hosts.deny	This file contains access rules which are used to
#		deny connections to network services that either use
#		the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		The rules in this file can also be set up in
#		/etc/hosts.allow with a 'deny' option instead.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd: ALL

Content of /etc/hosts.allow:

#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: 192.168.20.100 192.168.20.101
sshd: 192.168.15.16/29

Prerequisites

• Access to the source server. For more information, see Connect to an instance.

• Root or sudo privileges on the source server.

Procedure

1. Install firewalld and start the service.

   yum install -y firewalld
   systemctl enable firewalld
   systemctl restart firewalld

2. Remove the SSH service from the default zone. By default, SSH is enabled in the default zone of firewalld (the public zone).

   firewall-cmd --permanent --remove-service=ssh

3. Create a firewalld zone for SSH access control. A zone groups source IP addresses and defines which services they can access. Create a zone named sshzone to hold the allowed SSH sources.

   firewall-cmd --permanent --new-zone=sshzone

4. Add allowed sources and the SSH service to sshzone. Add each IP address and subnet from /etc/hosts.allow as a source, then enable the SSH service in the zone.

   firewall-cmd --permanent --zone=sshzone --add-source=192.168.20.100
   firewall-cmd --permanent --zone=sshzone --add-source=192.168.20.101
   firewall-cmd --permanent --zone=sshzone --add-source=192.168.15.16/29
   firewall-cmd --permanent --zone=sshzone --add-service=ssh

5. Reload firewalld to apply the configuration. The --permanent flag saves rules persistently but does not apply them immediately. Reload to activate all changes.

   firewall-cmd --reload

6. Comment out all rules in /etc/hosts.allow and /etc/hosts.deny. After firewalld handles access control, disable TCP Wrappers configuration by commenting out the active rules in both files.

7. After you resolve the network issue, run the SMC client to retry the operation. For more information, see Run the SMC client.

Verification

After step 5, verify that firewalld is configured correctly before proceeding.

1. Verify that SSH is removed from the public zone. The output should not include ssh.

   firewall-cmd --zone=public --list-services

2. Verify the sshzone configuration. The output should show the added sources and the ssh service.

   firewall-cmd --zone=sshzone --list-all

3. Verify active zones. The output should include sshzone with the configured sources.

   firewall-cmd --get-active-zones

4. Test SSH access from an allowed IP address to confirm connectivity.