Security Handbook/TCP wrappers
TCP wrappers is a way of controlling access to services normally run by inetd (which Gentoo does not have), but it can also be used by xinetd and other services.
The service should be executing tcpd in its server argument (in xinetd). See the chapter on xinetd for more information.
/etc/hosts.denyALL:PARANOID
/etc/hosts.allowALL: LOCAL @wheel time: LOCAL, .gentoo.org
As you can see the format is very similar to the one in /etc/security/access.conf. The tcpd facility supports a specific service; it does not overlap with /etc/security/access.conf. These settings only apply to services using TCP wrappers.
It is also possible to execute commands when a service is accessed (this can be used when activating relaying for dial-in users) but it is not recommended, since people tend to create more problems than they are trying to solve. An example could be that you configure a script to send an e-mail every time someone hits the deny rule, but then an attacker could launch a DoS attack by keep hitting the deny rule. This will create a lot of I/O and e-mails so don't do it!. Read the man 5 hosts_access for more information.