On Fri, 21 Mar 2014, Lennart Poettering wrote:
I mean, in this day and age we should not consider an ACL language well designed if it basically pushes users to use IDENT and DNS for authentication. (And no, don't say the words DNSSEC, nobody sets that up, we don't have it as default, and tcpwrap doesn't check wether DNSSEC is enabled either, before trusting a hostname...).
we kinda do have dnssec per default. All DNS servers installed per default do DNSSEC. Installing dnssec-trigger makes that even more pervasive. But I agree decisions based on DNS/reverse and IDENT are long dead.
The other 30% (i.e. simple IP range checks), are much better done in a real firewall.
I agree. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
