Am 22.03.2014 07:15, schrieb Reindl Harald: > Am 22.03.2014 03:21, schrieb Lennart Poettering: >> On Sat, 22.03.14 01:20, Miloslav Trmač (mitr@xxxxxxxx) wrote: >>> DNS queries can't really be done within the firewall (and due to the >>> circular dependency between having the firewall up before allowing access >>> to the network and needing access to the network to resolve DNS names, they >>> can't even be used in the on-disk firewall configuration). Having a single >>> centralized name->IP address repository instead of having a redundant copy >>> in each host, and having the configuration use readable names instead of IP >>> addresses, makes some difference in usability and management overhead. >> >> This is supposedly security functionality. You shouldn't build your >> security functionality on top of DNS. If you do, then you gain no >> security > > in your world one thing rules all true > in the world of *layered* security not true and i will give an example what layered security means * years ago played around with SELinux * after boot SELinux blocked iptables to start * my smb.conf has "hosts allow" on any machine * i recognized the failed iptables by messages in the samba log about not allowed hosts * guess what happens if you have a guest-share in that case without another security layer so if you propose to remove things which really may not be the best soultion but are a solution in context of layered security you should at the same time propose a replacement which does it better - in context of tcpwrappers a replacement wokring with hosts.allow and hosts.deny and go ahead propose this to be linked with any network aware software in the distribution *that* would be a smart proposal and gains a lot propose to declare things as deprectated while demand from the whole world adopt the changes is a sloppy attitude, frankly can you imagine what people all over the world could have developed on top of Fedora with the time wasted the last few years by adopt changes with no backward compatibility? make proposals and deprecations is easy as long the person who does has not to chew the result by cherry picking what makes the own development easier and cleaner and not care about existing usecases just working until someone breaks them willingly and *please* as long as you don't understand layered security and think a single point of defense resulting in a single point of failure with no additional safety net don't talk too much about security
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
