Ken Moffat wrote: > On Fri, Aug 24, 2012 at 11:12:02PM -0500, Bruce Dubbs wrote: >> [email protected] wrote: >>> Author: krejzi >>> Date: 2012-08-01 06:04:22 -0600 (Wed, 01 Aug 2012) >>> New Revision: 10486 >>> >>> Added: >>> trunk/BOOK/archive/tcpwrappers.xml >>> Removed: >>> trunk/BOOK/postlfs/security/tcpwrappers.xml >> >> Armin, >> >> I just noticed this. >> >> Why did you remove tcpwrappers? I recall saying I don't like it or use >> it, but some other programs do use it. It's mentioned in sendmail, >> nfs-utils, vsftpd, and exim as well as xinetd which I'm restoring. >> >> I think it's a legitimate optional dependency. It builds OK in 7.2.
> There was general agreement that it should go. I didn't like the > decision, but there was general agreement that if arch can drop it, > so can we. I've moved to iptables (_fun_ : that reminds me, I > must remember to fix my iptables scripts re multicast spamming the > logs) - I didn't think tcp_wrappers were a big overhead, but I have > to agree that they aren't the only way of providing that control. I guess the point is what users may expect. I think that applications that can use tcpwrappers should mention it, but I suppose it could be as an external reference with a "(depricated)" flag. > Relatedly : for iptables, why isn't it a regular script in init.d ? That's the way I've always done it. When I added the section on setting up a firewall, I just used what I'd always done. There's the scriot /etc/init.d/iptables, but the script rc.iptables is, in a way, configuration. It doesn't really fit in either /etc/init.d or /etc/sysconfig. Other distros make what is rc.iptables into configuration file by just removing the 'iptables' executable. I don't like that as it's an unneeded level of indirection. > And is there any interest in _different_ variants ? e.g. on this > (7.2 :) desktop I've got rules for ssh (if I started it), tcp and > udp if established or related, loopback, dns, ntp, icmp if related - > and I should also permit multicast. What you should have is a different discussion. I've never been able to get straming radio to work over the internet and it may be because IP ports above 225 get blocked. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
