Maybe it's time to get rid of tcpwrappers/tcpd?
Lennart Poettering
mzerqung at 0pointer.de
Fri Mar 21 00:32:41 UTC 2014
On Thu, 20.03.14 20:04, Martin Langhoff (martin.langhoff at gmail.com) wrote:
> On Thu, Mar 20, 2014 at 8:00 PM, Lennart Poettering <mzerqung at 0pointer.de>wrote:
>
> > A firewall has mechanisms to filter for all domains, however only
> > covering a smaller number of generic, low-level matches and actions.
> >
>
> From a usability PoV, /etc/hosts.{allow,deny} is good. I wonder if teaching
> firewalld to support some of that functionality would help here.
I don't see how these files would have a good "usability". It has all
this fancy support for good old IDENT user names!
I mean, in this day and age we should not consider an ACL language well
designed if it basically pushes users to use IDENT and DNS for
authentication. (And no, don't say the words DNSSEC, nobody sets that
up, we don't have it as default, and tcpwrap doesn't check wether DNSSEC
is enabled either, before trusting a hostname...).
Quite frankly, about 70% of tcpwrappers is security theater. It gives
you a fake sense of security with DNS and IDENT checks and that kind of
stuff.
The other 30% (i.e. simple IP range checks), are much better done in a
real firewall.
An no, a language designed like that doesn't have good
usability. Somebody who is new to all of this, and reads the man page
will set up matches against DNS names and IDENT, and then feel
secure. That's doesn't provide good "usability", that's simply
misleading the user. Giving a promise of security, while being completely
conceptually broken and easily compromisable, if working at all...
BTW, I asked the other distros about this. ArchLinux has removed tcpwrap
from their distro 2 years ago. Suse is making babysteps for removing it
(the original patch to disable it by default in systemd came from
them). Debian (of course...) loves it though.
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list