Fedora tcp_wrappers (missing) support for custom acl scripts, aclexec
Pasi Kärkkäinen
pasik at iki.fi
Tue Jan 13 19:40:41 UTC 2015
On Mon, Jan 12, 2015 at 05:17:08PM +0100, Lennart Poettering wrote:
> On Sun, 11.01.15 21:29, Tomasz Torcz (tomek at pipebreaker.pl) wrote:
>
> > On Sat, Jan 10, 2015 at 12:16:38AM +0200, Pasi Kärkkäinen wrote:
> > > Hello,
> > >
> > > I recently noticed Debian/Ubuntu has had support for "aclexec" in tcp_wrappers via a custom patch since 2006,
> > > so you can do this in /etc/hosts.allow or hosts.deny:
> > >
> > >
> > > What do people feel about that? I'd like to see support for aclexec included in Fedora's tcp_wrappers package.
> >
> > Enhancing tcpwrappers isn't generally a way we are going:
> > https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html
> >
> > Above discussions is only about proposal, no change was made. But I highly doubt
> > any serious work on tcpwrappers will happen.
>
> Well, we *did* drop tcpwrap support from systemd. It's not just OpenSSH
> that is dropping it...
>
> tcpwrap should really be removed. Having such crap, unmaintained code
> responsible for security checks is completely backwards.
>
Then again there is no better option available atm which provides the *same* features as tcpwrapper,
mostly:
1) Centralized configuration, same syntax and configfile for all the services using tcpwrapper (which is most services).
2) DNS-based checks (yes, there are valid use-cases for reverse-DNS checks aswell).
3) Execute custom "ACL"-scripts for any service, integrate with DNS RBLs, or lookup other IP databases.
If there was better option than tcpwrapper I'd be happy to use it.
> Lennart
>
> --
> Lennart Poettering, Red Hat
> --
-- Pasi
More information about the devel
mailing list