Enable TCP_WRAPPERs for the NIS server. The protection afforded is

not massive, but usable.

etc/hosts.allow

@@ -63,6 +63,12 @@ rpcbind : 192.0.2.32/255.255.255.224 : allow
 rpcbind : 192.0.2.96/255.255.255.224 : allow
 rpcbind : ALL : deny
 
+# NIS master server. Only local nets should have access
+ypserv : localhost : allow
+ypserv : .unsafe.my.net.example.com : deny
+ypserv : .my.net.example.com : allow
+ypserv : ALL : deny
+
 # Provide a small amount of protection for ftpd
 ftpd : localhost : allow
 ftpd : .nice.guy.example.com : allow

usr.sbin/ypserv/Makefile

@@ -8,7 +8,10 @@ MAN=	ypserv.8 ypinit.8
 SRCS=	yp_svc.c yp_server.c yp_dblookup.c yp_dnslookup.c \
 	ypxfr_clnt.c yp.h yp_main.c yp_error.c yp_access.c yp_svc_udp.c
 
-CFLAGS+= -I. -DDB_CACHE
+DPADD=	${LIBWRAP}
+LDADD=	-lwrap
+
+CFLAGS+= -I. -DDB_CACHE -DTCP_WRAPPER
 
 CLEANFILES= yp_svc.c ypxfr_clnt.c yp.h