On Thu, Mar 20, 2014 at 06:34:22PM +0100, Lennart Poettering wrote: > I wonder whether it wouldn't be time to say goodbye to tcpwrappers in > Fedora. There has been a request in systemd upstream to disable support I talked to some of the RHEL planning people, and they're okay with marking it deprecated in RHEL7. That allays some of my concerns about downstream enterprise needs -- although there was also the comment that the libwrap2 approach would be a good one. I'm also collecting some feedback from CentOS users. I'll wait to report on that for a little bit, but I think in general the majority response is okay with it, with a significantly vocal "why change things that work?" contingent, and also the more practical concerns that a) tcp_wrappers is cross-platform for mixed Linux/Unix shops where iptables is not, and b) CIS (Center for Internet Security) benchmarks (taken seriously in many enterprises) recommend both TCP wrappers and host-based packet filtering, noting "TCP Wrappers and Host-Based Firewalls are presented together as they are similar and complementary in functionality." Those two concerns do give me some pause; it might be nice to at least discuss with CIS whether the benchmark should be updated. And the cross-compatibility concern argues for either the libwrap2 idea or the compatible firewall-rule-generator concept. -- Matthew Miller -- Fedora Project -- <mattdm@xxxxxxxxxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
