On 16 August 2017 at 05:44, Tomas Mraz <tmraz@redhat.com> wrote:

On 08/16/2017 11:37 AM, Michal Sekletar wrote:
> On Tue, Aug 15, 2017 at 1:58 PM, Jakub Jelen <jjelen@redhat.com> wrote:
>
>>
>> So can we discuss it now once more without the affiliation to systemd?
>> The fact is that we still do not have any other replacement except
>> firewalls. But do we need one?
>>
>
> IIRC, in the past discussion there was quite a lot of people arguing
> that we actually need one. I personally don't think we as a
> distribution need a drop-in replacement. However, what we possibly
> need, is a migration path for already deployed systems using
> tcp_wrappers. Just dropping tcp_wrappers and potentially leaving
> deployed services completely open would very irresponsible.
>
> Also we should consider an impact this change will have on our
> downstreams focusing on enterprise use-cases (CentOS, RHEL). I recon
> that "splash damage" potentially caused by this change will be bigger
> there than in Fedora itself.

On the other hand shipping downstream openssh patch adding this support
when there is already similar functionality present in upstream via the
Match directive in sshd_config is something I would definitely not vote for.

The main purpose of tcp_wrappers is to allow a 'live' control mechanism to an op level person/program who may not be able to change configuration files without going through change control systems or restart services (for similar reasons).

In various places, changing a startup/shutdown program requires going through all kinds of extra hassles. So having a layer where the 'local' admin can quickly 'stop' some resource usage is required. The tcp_wrappers was the mechanism to do this. This meant that openssh/postfix/etc did not need to be restarted to get the new ips to allow or disallow. A program could go through logs and add/remove hosts to a file without altering other files and thus could be apparmor/selinux policy limited for further protections.

If there is a way to have systemd read from a 'central' file to allow/deny ips without requiring a systemctl reload/restart of all the services that would be useful to know and would be the way to call it a 'replacement' of the original functionality. Then any .service file could just say it is looking at that file for appropriate matches and those that don't need it don't.

Tomas

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org

Stephen J Smoogen.