Maybe it's time to get rid of tcpwrappers/tcpd?

Paul Wouters paul at nohats.ca
Fri Mar 21 04:27:02 UTC 2014


On Fri, 21 Mar 2014, Lennart Poettering wrote:

> I mean, in this day and age we should not consider an ACL language well
> designed if it basically pushes users to use IDENT and DNS for
> authentication. (And no, don't say the words DNSSEC, nobody sets that
> up, we don't have it as default, and tcpwrap doesn't check wether DNSSEC
> is enabled either, before trusting a hostname...).

we kinda do have dnssec per default. All DNS servers installed per
default do DNSSEC. Installing dnssec-trigger makes that even more
pervasive.

But I agree decisions based on DNS/reverse and IDENT are long dead.

> The other 30% (i.e. simple IP range checks), are much better done in a
> real firewall.

I agree.

Paul


More information about the devel mailing list