Am 29.03.2014 15:54, schrieb Orion Poplawski: > What gives you the impression that fail2ban is "crusty"? It's being > actively developed upstream and integrates with firewalld now. Are > those particularly onerous dependencies? and that is the problem / difference to tcpwrapper it integrates in the firewall / iptables so you have *not* additional security layer, you have a single layer with a single point of failure and if iptables for hwatever reason does not work as it should you are lost * bug in the rules failing iptables / forewalld to start * SELinux failing iptables / forewalld to start * bug in the iptables-rules render it useless (ACCEPT before REJECT/DROP) if it ever comes to security you must not have a single protection layer and some others appearing to exist but rely on that single layer makes things even worser - /etc/hosts.deny works independent of SELinux or iptables
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
