Re: Maybe it's time to get rid of tcpwrappers/tcpd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday 20 March 2014 19:45:32 Lennart Poettering wrote:
> No. systemd is not a firewall. It currently supports libwrap checks for
> socket activated services. And I'd really like to get rid of that...

Confession: I've never bothered looking in tcpwrappers code/api, so
I'll take your assessment that this code should be thrown away...

However, the functionality *at the service level* has its value,
as a complement to firewall rules which are global by nature.

Let's look at familiar NON-tcpwrappers examples:
 * Every sane network service allows you to bind to specific interfaces
   although you could protect them via firewall rules.

   It's not *only* security, but also flexibility (e.g: running several
   instances on several [physical or virtual] network interfaces).

   Sometimes it's just extra *safety* (e.g: you don't want an internal
   DHCP server to answer hosts on the corporate network by mistake).

 * You mentioned yourself the sshd "Match" keyword. Again, it's not just
   "security" per-se, but the softer ability to control a network
   resource *at the service level*.

 * xinetd also support some socket control options (besides optional
   tcpwrappers integration). E.g: "per_source" or "cps" directives.

 * Last, a somewhat theoretical example. User-level services.
   (e.g: screen sharing of personal desktop like "krfb").
   The non-root user may not have global control on the host and firewall
   but may want to set limits who can bother him/her.

   (it's theoretical simply because current implementations doesn't
    give the user any such control ;-)

So is there any chance to have similar functionality?
 * IMO, exact feature/syntax parity with tcpwrappers isn't important at all.

 * However, *some* optional socket control/limits in <service>.socket file
   would go a long way.

 * If this happens to be implemented in a small library with sane API,
   it may even contribute to the direct replacement of tcpwrappers
   in other network services that need similar features...

Thanks,


-- 
Oron Peled                                 Voice: +972-4-8228492
oron@xxxxxxxxxxxx                  http://users.actcom.co.il/~oron

"The wonderful thing about standards is that there are so many of
them to choose from."
                                -- Grace Murray Hopper

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux