As a follow-up to the discussion here, libwrap replaces the old NUT ACL
functionality in the upcoming nut-2.4.0 release. This provides
application-level connection filtering using a fairly well-known ACL
syntax.
--
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
https://bugs.launchpad.ne
On Wed, Aug 27, 2008 at 12:37:20AM -, Charles Lepple wrote:
> > Well, most sysadmins that I know, including the sysadmin that is
> > me :),
> > prefer security in depth and don't want an either-or choice between
> > application-level and system-level ACLs.
> Understood, but at the very least
Hi there,
2008/8/27 Charles Lepple :
> On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
> ...
> This is starting to stray from the original issue in this bug
> regarding 2.2.1. I don't want to misrepresent the intentions of the
> rest of the NUT team - do you mind if I quote this message and som
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
> Hi Charles,
>
> Well, most sysadmins that I know, including the sysadmin that is
> me :),
> prefer security in depth and don't want an either-or choice between
> application-level and system-level ACLs.
Understood, but at the very least, appl
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
> Note also that newer versions of NUT are dropping ACLs in favor of
> binding to interfaces (with a fai
On Fri, Aug 22, 2008 at 6:26 PM, Steve Langasek wrote:
> So since denying appears to be the default, it seems that the only case
> broken by this is giving all IP addresses access to nut. Is this ever
> really a good idea? Or have I overlooked some other reason that this
> makes sense?
Steve,
S
Hi Chuck,
I have doubts whether this particular bug warrants an update. My
understanding from reading the patch is that the reason the acl fails to
work as intended is not because the sense of the acl is inverted, but
because the acl matches no addresses instead of all addresses.
So since denyin
Impact: Nut was shipped with a bug that causes the reverse intention
when using ipv4 acls. In this case, instead of accepting the connections
it rejects them.
STEPS TO REPRODUCE:
1. See above.
I have attached the debdiff which fixes this issue. If you have any
questions please feel free to conta
