On 16 August 2017 at 05:44, Tomas Mraz <tm...@redhat.com> wrote: > On 08/16/2017 11:37 AM, Michal Sekletar wrote: > > On Tue, Aug 15, 2017 at 1:58 PM, Jakub Jelen <jje...@redhat.com> wrote: > > > >> > >> So can we discuss it now once more without the affiliation to systemd? > >> The fact is that we still do not have any other replacement except > >> firewalls. But do we need one? > >> > > > > IIRC, in the past discussion there was quite a lot of people arguing > > that we actually need one. I personally don't think we as a > > distribution need a drop-in replacement. However, what we possibly > > need, is a migration path for already deployed systems using > > tcp_wrappers. Just dropping tcp_wrappers and potentially leaving > > deployed services completely open would very irresponsible. > > > > Also we should consider an impact this change will have on our > > downstreams focusing on enterprise use-cases (CentOS, RHEL). I recon > > that "splash damage" potentially caused by this change will be bigger > > there than in Fedora itself. > > On the other hand shipping downstream openssh patch adding this support > when there is already similar functionality present in upstream via the > Match directive in sshd_config is something I would definitely not vote > for.
The main purpose of tcp_wrappers is to allow a 'live' control mechanism to an op level person/program who may not be able to change configuration files without going through change control systems or restart services (for similar reasons). In various places, changing a startup/shutdown program requires going through all kinds of extra hassles. So having a layer where the 'local' admin can quickly 'stop' some resource usage is required. The tcp_wrappers was the mechanism to do this. This meant that openssh/postfix/etc did not need to be restarted to get the new ips to allow or disallow. A program could go through logs and add/remove hosts to a file without altering other files and thus could be apparmor/selinux policy limited for further protections. If there is a way to have systemd read from a 'central' file to allow/deny ips without requiring a systemctl reload/restart of all the services that would be useful to know and would be the way to call it a 'replacement' of the original functionality. Then any .service file could just say it is looking at that file for appropriate matches and those that don't need it don't. > > Tomas > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > -- Stephen J Smoogen.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
