On Wed, Sep 13, 2017 at 6:10 AM, Jan Kurik <jkurik(a)redhat.com>
wrote:
> = Proposed System Wide Change: Deprecate TCP wrappers =
>
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
>
> Change owner(s):
> * Jakub Jelen <jjelen AT redhat DOT com >
>
> TCP wrappers is a simple tool to block incoming connection on
> application level. This was very useful 20 years ago, when there
> were
> no firewalls in Linux. This is not the case for today and
> connection
> filtering should be done in network level or completely in
> application
> scope if it makes sense. After recent discussions I believe it is
> time
> to go for this package, if not completely, than at least as a
> dependency of modern daemons in system by default.
>
> == Detailed Description ==
> Last version of tcp_wrappers was released 20 years ago (with later
> addition of IPv6 support). At that time, it was very powerful tool
> to
> "block all traffic", but these days we can do the same thing using
> firewalls/iptables/nftables for all traffic on network level or
> similar filtering exists in most of the applications.
>
> One of the motivating factors for this change was removal of TCP
> wrappers support from systemd and openssh in 2014, based on the
> thread
> on fedora devel list [1]. I started another thread during 2017 [2]
> which is trying to explain the reasons why we should do that with
> other constructive ideas.
>
> Another factor which has driven the deprecation of this package is
> the
> lack of any upstream community around it. Although the threats on
> networking communications increase, the threat coverage of this
> package has remained the same the last two decades, suggesting that
> new threats are now being handled on different components.
>
> [1]
https://lists.fedoraproject.org/pipermail/devel/2014-March/1969
> 13.html
> [2]
https://lists.fedoraproject.org/archives/list/devel@lists.fedor
>
aproject.org/thread/2IBVP66BM6HUZVRTFIVURNZUR2XSUMOD/
>
>
> == Scope ==
> * Proposal owners:
> Deprecate tcp_wrappers in Fedora, remove dependency on other
> pacakges
> maintained and notify other maintainers to follow the same
> procedure.
>
> * Other developers:
> Remove dependency of your software on tcp_wrappers
>
> * Release engineering:
>
https://pagure.io/releng/issues/7029
>
> List of deliverables:
> Not affected
>
> Policies and guidelines: If package will not be retired, update
> packaging guidelines to NOT RECOMMEND building against tcp_wrappers
>
> Trademark approval: N/A (not needed for this Change)
So, I'm a comaintainer of a package that uses libwrap and such
(stunnel), and I don't particularly want to lose the tcp_wrappers
support in it, because I use stunnel in containers to set up secure
tunnels across a number of systems. Unlike firewall rules (which
apply
globally to the host), the hosts.deny rules apply only within the
container, which is the behavior I want.
Also, your recommended alternative of using tcpd doesn't work if the
package containing it is gone (tcp_wrappers).
It is not yet decided if the package will go away altogether or just as
a dependency of other packages. I would rather go with the first
possibility, but the second is still here as a backup.
At this point we are also in the process of investigating a replacement
in systemd, which should take care of such simple use cases as
containers with a single stunnel service.
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.