Hello Scott, >> It is possible to remove the dependency, but there is a reason why >> p9100 (and a few other packages) are compiled with libwrap support. LEAF >> is modular, so it is possible to use LEAF without shorewall as a pure >> router or printserver (or whatever), libwrap gives some extra security >> in the cases where iptables/shorewall isn't installed. >> > What you say makes sense (including what followed, about hosts.allow not > being part of pppd.lrp) but I'll offer this counter-position. > That should be p9100.lrp I guess ;-)
> To have two places where one must permit an IP address (shorewall & > hosts.allow) is a little obtuse, IMO. > That's true, but if you are changing network settings from their defaults there is a change other things have to be changed too. This is not only true for /etc/network/interfaces, shorewall and hosts.allow/deny but also /etc/hosts /etc/resolv.conf and other places. Most of the basic settings are grouped in the "Network Configuration menu" (including allow and deny settings). > In terms of LEAF as a non-shorewall router, etc I'd propose that since > the default LEAF distro includes shorewall that might tip the scales in > favour of recognizing that shorewall rules are the better, *single* place > for IP restrictions to be placed. Also, newbies (the people most likely to > get tripped up by this double-permission requirement) are less likely to > be able to solve this, then someone who is employing LEAF as a > non-shorewall device, whose users are much more likely to be able to > self-solve, recompile with libwrap support, etc. > When using the Bering-uClibc image without changing the settings of the local network nothing has to be changed in hosts.allow/deny. If an user changes the local subnet he has to change a lot of things, this is not something I would advice newbies todo. Besides if he screws up, at least he has double protection. > Maybe 2 pppd.lrp packages - one default for use with shorewall (no > dependency on hosts.allow) and one standalone? (recognizing too that more > packages = more work for the kind, volunteer maintainers). > I don't think this will improve the situation... > This conundrum all might all originate from trying to make LEAF do more > than one thing - firewall & router vs router vs print server (doing two+ > things - and the commensurate double-permissions requirement, is maybe a > not-unexpected outcome of trying to do more than one thing and causing > neither task to be performed optimally). > LEAF is perfectly capable of doing multiple tasks, it's just linux. It all depends on which packages you load. > Is there any reason that someone who wants to use LEAF as a, say, print > server, *shouldn't* use shorewall to effect IP addy restrictions? (Saving > space on a floppy is obvious but is there anything more substantial? And > true, adding in a complex package like shorewall vs compiled-in libwrap > support exposes a greater risk of code-bug that impacts security). > Anything else? :) > Yes, there are reasons. I also use LEAF as a VOIP server (using Yate) on my DMZ, there is no need for shorewall on that box, it will make things even more complicated when adding that. > > Anyway, I'm obviously not an impartial party here but wanted to offer > the devil's advocate position, in terms of identifying the 'cost' > associated with the 'benefit' of this multiple-use strategy. > Very much appreciated. > Too, things that make life tough for newbies (I'm not one, FWIW) are a > Bad Thing, again IMO. > > > Regardless of the final decision I thank you for your taking the time to > reply and explain. > It's an interesting discussion, I'm also not sure what the best solution is so any argument is appreciated. > (I also like what Hillel Seltzer said, in terms of "hosts.lpd instead of > hosts.allow'" and IMO think that would be a alternate, ideal solution since > hosts.lpd could [TTBOMK] be safely made a part of the pppd.lrp package?!) > That's not possible, hosts.allow (and deny) are config files for the libwrap library. It has nothing todo with the p9100.lrp package itself and you can't change the filename. > scott; canada > Eric ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
