While trying to make my ssh connection maximally secure, I decided to use the /etc/hosts.allow and /etc/hosts.deny files, and was able to get them working without too much trouble, so now the only external site that can connect to my home system is the address of what is probably my work system's firewall. Here's the bug: The DNS setup for the IP address of the firewall gives it two names, both (examples only) users.example.com and corpvpn.example.com are in the DNS database as the same IP. If I try to use either name (or both names) in the hosts.allow file, I always get rejected with a log message that claims users.example.com != corpvpn.example.com. If I use the IP address in hosts.allow, I still get the message in the log, but I am allowed to connect. Is the tcpwrapper code being too paranoid here? Shouldn't it lookup all the names for the IP and accept any match rather than (appapently) only looking up the 1st name?
