Server Migration Center (SMC) fails with a "TCP Wrappers configuration affects" error when migrating a Linux server to Anolis OS. To resolve this error, replace TCP Wrappers rules with firewalld before retrying the migration.
Symptom
The "TCP Wrappers configuration affects" error appears when you use SMC to migrate a Linux operating system to Anolis OS.
Cause
Anolis OS 8 no longer supports TCP Wrappers. If the source server uses /etc/hosts.allow or /etc/hosts.deny to control access, the migration is blocked until these rules are replaced with firewalld.
Solution
Background
TCP Wrappers provided application-level access control through two configuration files:
-
/etc/hosts.deny-- defines which hosts are blocked from connecting. -
/etc/hosts.allow-- defines which hosts are allowed to connect.
In Anolis OS 8, TCP Wrappers is removed. firewalld replaces it by filtering traffic at the network level through zones. Each zone defines a trust level for a group of source IP addresses and controls which services (such as SSH) are accessible.
The following table maps common TCP Wrappers patterns to their firewalld equivalents:
| TCP Wrappers rule | Effect | firewalld equivalent |
|---|---|---|
sshd: ALL in hosts.deny |
Deny SSH from all hosts | Remove ssh service from the public zone |
sshd: 192.168.20.100 in hosts.allow |
Allow SSH from a specific IP | Add source 192.168.20.100 to a custom zone with the ssh service |
sshd: 192.168.15.16/29 in hosts.allow |
Allow SSH from a subnet | Add source 192.168.15.16/29 to a custom zone with the ssh service |
The following procedure replaces TCP Wrappers SSH restrictions with firewalld by using this example configuration:
Content of /etc/hosts.deny:
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: ALLContent of /etc/hosts.allow:
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: 192.168.20.100 192.168.20.101
sshd: 192.168.15.16/29Prerequisites
-
Access to the source server. For more information, see Connect to an instance.
-
Root or sudo privileges on the source server.
Procedure
Removing SSH from the default zone before adding it to a custom zone can lock you out of the server. In this procedure, all firewalld changes use the --permanent flag and take effect only after firewall-cmd --reload. Complete all steps before reloading.
-
Install firewalld and start the service.
yum install -y firewalld systemctl enable firewalld systemctl restart firewalld -
Remove the SSH service from the default zone. SSH is enabled in the public zone by default.
firewall-cmd --permanent --remove-service=ssh -
Create a firewalld zone for SSH access control. A zone groups source IP addresses and defines which services they can access. Create a zone named
sshzoneto hold the allowed SSH sources.firewall-cmd --permanent --new-zone=sshzone -
Add allowed sources and the SSH service to
sshzone. Add each IP address and subnet from/etc/hosts.allowas a source, then enable the SSH service in the zone.firewall-cmd --permanent --zone=sshzone --add-source=192.168.20.100 firewall-cmd --permanent --zone=sshzone --add-source=192.168.20.101 firewall-cmd --permanent --zone=sshzone --add-source=192.168.15.16/29 firewall-cmd --permanent --zone=sshzone --add-service=ssh -
Reload firewalld to apply the configuration. The
--permanentflag saves rules persistently but does not apply them until you reload.firewall-cmd --reload -
Comment out all rules in
/etc/hosts.allowand/etc/hosts.deny. After firewalld takes over access control, disable the TCP Wrappers configuration by commenting out the active rules in both files. -
After you resolve the network issue, run the SMC client to retry the operation. For more information, see Run the SMC client.
Verification
After step 5, verify that firewalld is correctly configured before proceeding.
-
Verify that SSH is removed from the public zone. The output should not include
ssh.firewall-cmd --zone=public --list-services -
Verify the
sshzoneconfiguration. The output should show the added sources and thesshservice.firewall-cmd --zone=sshzone --list-all -
Verify active zones. The output should include
sshzonewith the configured sources.firewall-cmd --get-active-zones -
Test SSH access from an allowed IP address to confirm connectivity.
What's next
If TCP Wrappers configuration protects services other than SSH (such as vsftpd or sendmail), apply the same pattern: create a dedicated firewalld zone for each service, add the allowed sources, and enable the service in that zone.