tcpdchk

tcpdchk [-adijnv] [daemon[@host] ...]

-a
    Show rules that would always be matched by the ALLOW section of hosts.allow, effectively ignoring subsequent rules.

-d
    Use the hosts.allow and hosts.deny files found in the current directory instead of the default /etc/ location.

-i
    Show rules that would always be matched by the DENY section of hosts.deny, effectively ignoring subsequent rules.

-j
    Simulate the old tcp_wrappers behavior where hosts.allow was checked before hosts.deny. The default behavior checks hosts.deny first.

-n
    Do not perform name lookups (e.g., DNS, NIS). This can speed up the check but will not detect issues related to hostname or netgroup resolution.

-v
    Produce verbose output, showing more details about the checks being performed and the rules being processed.

tcpdchk is a utility included with the tcp_wrappers package. Its primary function is to analyze the hosts.allow and hosts.deny access control files to identify potential problems, inconsistencies, or vulnerabilities in their configuration.
It can detect issues such as syntax errors, unreachable rules, overlapping rules, or rules that could lead to unexpected access denials or grants. The tool reads the configuration files, simulates the access control logic, and reports any issues found, helping system administrators maintain secure and correct network service access policies. It is crucial for ensuring that tcp_wrappers-aware services behave as expected.

tcpdchk only checks the syntax and logic of hosts.allow and hosts.deny. It does not verify if tcp_wrappers is actually integrated with specific services (e.g., via xinetd or compiled into daemons).
It relies on the current system's DNS/NIS/NIS+ resolution for hostnames and netgroups unless the -n option is used. The hosts.allow and hosts.deny files are typically located in /etc, but this can be overridden with the -d option.
Note that tcp_wrappers is an older mechanism; many modern Linux systems prioritize kernel-level firewalls (like iptables, nftables, firewalld) for primary network access control.

tcpdchk primarily interacts with the /etc/hosts.allow and /etc/hosts.deny files. The -d option allows specifying alternative paths for these configuration files.

This command is typically employed by system administrators to audit and troubleshoot network access control rules for services that are configured to use tcp_wrappers for security.

tcpdchk is an integral part of the tcp_wrappers package, originally developed by Wietse Venema in the early 1990s. tcp_wrappers was designed to add host-based access control to network services without requiring modifications to the service binaries.
tcpdchk emerged as a vital diagnostic tool to assist administrators in debugging and verifying their hosts.allow and hosts.deny configurations, ensuring the correct application of security policies.
While still present in many Linux distributions, the direct use of tcp_wrappers for new services has somewhat diminished, largely due to the emergence of more comprehensive kernel-level firewalls and centralized network access control mechanisms.

tcpdmatch(8), hosts_access(5), hosts_options(5), xinetd(8)