On Mon, Jan 12, 2015 at 05:17:08PM +0100, Lennart Poettering wrote: > On Sun, 11.01.15 21:29, Tomasz Torcz (to...@pipebreaker.pl) wrote: > > > On Sat, Jan 10, 2015 at 12:16:38AM +0200, Pasi Kärkkäinen wrote: > > > Hello, > > > > > > I recently noticed Debian/Ubuntu has had support for "aclexec" in > > > tcp_wrappers via a custom patch since 2006, > > > so you can do this in /etc/hosts.allow or hosts.deny: > > > > > > > > > What do people feel about that? I'd like to see support for aclexec > > > included in Fedora's tcp_wrappers package. > > > > Enhancing tcpwrappers isn't generally a way we are going: > > https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html > > > > Above discussions is only about proposal, no change was made. But I > > highly doubt > > any serious work on tcpwrappers will happen. > > Well, we *did* drop tcpwrap support from systemd. It's not just OpenSSH > that is dropping it... > > tcpwrap should really be removed. Having such crap, unmaintained code > responsible for security checks is completely backwards. >
Then again there is no better option available atm which provides the *same* features as tcpwrapper, mostly: 1) Centralized configuration, same syntax and configfile for all the services using tcpwrapper (which is most services). 2) DNS-based checks (yes, there are valid use-cases for reverse-DNS checks aswell). 3) Execute custom "ACL"-scripts for any service, integrate with DNS RBLs, or lookup other IP databases. If there was better option than tcpwrapper I'd be happy to use it. > Lennart > > -- > Lennart Poettering, Red Hat > -- -- Pasi -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
