On 28/11/2017 at 22:41, Ingo Wichmann wrote: > Hi there, > > I wonder if anyone is using TCP wrappers any more?
I do, too. > Wouldn't you use iptables instead today? I think iptables is overkill for most situations (that is, everytime you're not on the Internet with a public IP) and too complex for LPIC-1. iptables best fits LPIC-303 (security) stuff. > I know there are use cases > where TCP wrapper would fit better. But aren't they rare? TCP wrapper is an air-bag. iptables is a jettisonable seat with a parachute, hydraulic steering devices and landing thrusters. Most people are best served by the first, which is far easier to master and comprehend compared to iptables. TCP wrapper then is process-specific, iptables is packet-centric, they are not intended to cover the same use cases. Say you change in.ftpd service port to some non-standard one in it's configuration file. in.ftpd: 192.168.0.0/255.255.0.0 EXCEPT 192.168.1.0/255.255.255.0 in /etc/hosts.allow is still going to work, iptables -I INPUT -i eth0 -p tcp --dport ftp -m conntrack --ctstate NEW -j REJECT no longer will. > A lot of services still come with TCP wrappers enabled by default. But > does that mean there are commonly in use today? I doubt it. I think most people do not use it because they are unaware it is there. Others do not use it because they believe it's old and useless stuff because they hear many say so. > "Understand the role of TCP wrappers. " > /etc/hosts.allow > and > /etc/hosts.deny > > I'd recommend to remove it. I do not. -- Alessandro Selli http://alessandro.route-add.net, VOIP: sip:[email protected] Chiave firma PGP/GPG signing key: 75D80726 Chiave crittografia PGP/GPG encrypting key: 131F93AF _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
