Maybe it's time to get rid of tcpwrappers/tcpd?
Matthew Miller
mattdm at fedoraproject.org
Fri Mar 21 14:05:34 UTC 2014
On Thu, Mar 20, 2014 at 06:34:22PM +0100, Lennart Poettering wrote:
> I wonder whether it wouldn't be time to say goodbye to tcpwrappers in
> Fedora. There has been a request in systemd upstream to disable support
I talked to some of the RHEL planning people, and they're okay
with marking it deprecated in RHEL7. That allays some of my concerns about
downstream enterprise needs -- although there was also the comment that the
libwrap2 approach would be a good one.
I'm also collecting some feedback from CentOS users. I'll wait to report on
that for a little bit, but I think in general the majority response is okay
with it, with a significantly vocal "why change things that work?"
contingent, and also the more practical concerns that a) tcp_wrappers is
cross-platform for mixed Linux/Unix shops where iptables is not, and b) CIS
(Center for Internet Security) benchmarks (taken seriously in many
enterprises) recommend both TCP wrappers and host-based packet filtering,
noting "TCP Wrappers and Host-Based Firewalls are presented together as they
are similar and complementary in functionality."
Those two concerns do give me some pause; it might be nice to at least
discuss with CIS whether the benchmark should be updated. And the
cross-compatibility concern argues for either the libwrap2 idea or the
compatible firewall-rule-generator concept.
--
Matthew Miller -- Fedora Project -- <mattdm at fedoraproject.org>
More information about the devel
mailing list