On Wed, Apr 23, 2014 at 3:40 PM, mancha <mancha1@xxxxxxxx> wrote: > On Wed, Apr 23, 2014 at 02:31:43PM -0500, Ben Lindstrom wrote: >> Personally, I'm glad to see us finally doing away with tcpwrapper. It >> is a dark part of our history that should be scorched from the planet >> so we can get people to start doing stuff the right away^H^H^H^H our way Fixed That For You(tm). > Don't use "--with-tcp-wrappers" > > --mancha tcp_wrappers has been a much, much easier and safer to set up lightweight, application firewall filter for a *long* time. It's been useful aand safer to implement than the plethora of easily fractured firewall configurations configured, and inconsistently configured, by every GUI script kiddie with an attitude who's never actually learned to do flow charts and logic diagrams and really understand how firewalls work. It's integration with SSH has helped make SSH safer to configure when touching the firewall was out of the scope of the host specific admin, and I've personally encountered such situations. (Do not get me *started* on Puppet, Tuttle, CFengine and Chef admins who will insist on retaining sitewide control of the firewall configs and really don't know how to do them well.) iptables and pif are ikely to be overridden in a larger environment by someone else's standards, but you can get away with noticeably improved system access control despite this by configuring at least tcp_wrappers. Please leave in a lightweight, stable, useful future. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev