tcp_wrappers is a basic system for preventing (and explicitly allowing) access to services from specified hosts. In a nutshell, it works like this:
inetd (the internet super-server) runs a lot of servers, many of which are “wrapped” by tcpd. In other words, tcpd is what actually runs these servers, but inetd doesn't know that (or care, really). tcpd logs the attempt to connect and then checks the files /etc/hosts.allow and /etc/hosts.deny files to see whether the connection should be allowed.
The rules contained in these files can be somewhat complex, but let's suppose pyramid.tdn is being really obnoxious and won't leave poor little mojo.tdn alone. mojo.tdn might throw a line into /etc/hosts.deny that looks like this:
ALL: pyramid.tdn |
This line should be pretty clear: it prevents pyramid from using all of the services on mojo that are protected by tcpd. Were I to be annoyed by an entire domain in addition to pyramid, I could make that line read:
ALL: pyramid.tdn, .annoying.domain |
But wait! My pal Hobbes is stuck with a machine on .that.annoying.domain, but I want him to be able to access me (just not the rest of his annoying friends). That's simple enough. Leaving hosts.deny as it stands, the following line in hosts.allow will let Hobbes in:
ALL: hobbes.annoying.domain |
For much more detail, see tcpd(8), hosts_access(5), and hosts_options(5). The tcp_wrappers system is much more flexible than this, and is well worth checking out in more depth.