Once upon a time, Ric Wheeler <rwheeler@xxxxxxxxxx> said: > Chris Adams wrote: > >TCP_wrappers was good before we had host-based firewalls, but is really > >obsolete at this point, except for trying to do access control based on > >DNS (which, for the most part, is a bad idea, as seen in this thread). > > > Sounds like it is something that we might want to try to deprecate and > eventually remove. I hadn't really given it much thought before this thread, but that really may be the case (IMHO of course). TCP_wrappers functions that are not really useful now: - connection logging; this came when executed directly (e.g. from old inetd), but I don't think anything uses that now (xinetd, NFS, OpenSSH, etc. use their own logging instead of tcp_wrappers'); now that I look, I see rpcbind has a "-l" option that looks like it uses libwrap's logging (option is not on by default) - basic allow/deny access control on a per-host and per-service basis; this can also be done with iptables for most services (and iptables is better, since that keeps any system daemon from even seeing a connection => lower load, less possible vulnerability, etc.) - IDENT lookup (I don't believe anything uses this now) There are some things that you can still do with TCP_wrappers that you can't easily do in other ways: - control access to RPC services that live on essentially random ports - do DNS-based access control (which can seem useful but is often a bad idea) - easier to manage "dynamic" access control such as done with denyhosts The annoying thing about even considering deprecating TCP_wrappers is that for most (if not all) current use, it is a build-time decision. If you build e.g. OpenSSH without -lwrap, there is no way to add that functionality back. Somebody could teach denyhosts about iptables instead of /etc/hosts.deny (shouldn't be too hard to manage with a couple of new scripts). That brings me back to RPC services though, which means NFS (which started all of this). Some of the NFS component services have fixed ports now (even though they still register with portmapper), such as nfsd (2049) and rquotad (875), but I believe that mountd, lockd, and statd all run on portmapper-assigned random ports. The only way to control access to them is currently TCP_wrappers. Ideally, there'd be an iptables module or something that could track RPC assigments and limit access, but that isn't a simple thing. Alternately, you could have the portmapper have a callout to a script that could modify iptables settings. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
