Maybe it's time to get rid of tcpwrappers/tcpd?
Reindl Harald
h.reindl at thelounge.net
Sat Mar 29 15:06:50 UTC 2014
Am 29.03.2014 15:54, schrieb Orion Poplawski:
> What gives you the impression that fail2ban is "crusty"? It's being
> actively developed upstream and integrates with firewalld now. Are
> those particularly onerous dependencies?
and that is the problem / difference to tcpwrapper
it integrates in the firewall / iptables
so you have *not* additional security layer, you have
a single layer with a single point of failure and if
iptables for hwatever reason does not work as it should
you are lost
* bug in the rules failing iptables / forewalld to start
* SELinux failing iptables / forewalld to start
* bug in the iptables-rules render it useless (ACCEPT before REJECT/DROP)
if it ever comes to security you must not have a single protection layer
and some others appearing to exist but rely on that single layer makes
things even worser - /etc/hosts.deny works independent of SELinux or iptables
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140329/e4d2d6ae/attachment.sig>
More information about the devel
mailing list