Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
[2010-12-12 19:04:07 -0600] Dan McGee: Got very little feedback on this last time...any votes? I'm personally happy to get rid of it. Since nobody said otherwise last time you brought that up, I assume everybody using tcp_wrappers now will gladly switch to iptables. -- Gaetan
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
Am 13.12.2010 03:04, schrieb Allan McRae:
On 13/12/10 11:04, Dan McGee wrote:
Got very little feedback on this last time...any votes? Saw another
thread[1] in the forums today about it causing problems with mpd this
time around...
Never particularly used it... and if iptables is the better solution
then I am happy for it to be removed if all our packages build without it.
I don't know about better: tcp_wrappers is an application-level
solution, iptables on the other hand is a transport-level solution. I
always tell myself that they solve different problems, but that isn't
entirely true - both can be used to restrict or allow access to a
particular service.
Packages that link to libwrap.so.0:
dante
esound
exim
gdm
inetutils
libmysqlclient
libpulse
mailutils
mysql
net-snmp
nfs-utils
openldap
openssh
pulseaudio
quota-tools
socat
stunnel
syslog-ng
tcp_wrappers
tftp-hpa
vsftpd
xinetd
And that is the problem: Not all applications use tcp_wrappers (for
instance, I don't see apache up there - it has its own built-in
application-level configurations for access restrictrion).
It seems inconsistent to have to mess with hosts.{allow,deny} for some
applications and not for others. The question is, can all these
applications be built without tcp_wrappers support?
signature.asc
Description: OpenPGP digital signature
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
[2010-12-13 10:41:23 +0100] Thomas Bächler:
It seems inconsistent to have to mess with hosts.{allow,deny} for some
applications and not for others. The question is, can all these
applications be built without tcp_wrappers support?
There are also network applications that don't support it at all.
Shouldn't we just try and get rid of tcp_wrappers in as many packages as
we can, knowing that it might remain as a dependency for two or three?
--
Gaetan
pgp490RLqe2vu.pgp
Description: PGP signature
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
Le 12 décembre 2010 20:04:07, Dan McGee a écrit : Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around... -Dan [1] https://bbs.archlinux.org/viewtopic.php?id=109962 On Fri, Sep 10, 2010 at 7:38 AM, Dan McGee dpmc...@gmail.com wrote: On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX guilla...@archlinux.org wrote: On 9 September 2010 19:39, Dan McGee dpmc...@gmail.com wrote: Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard sshd : ALL : allow line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work! 4. It is not very transparent +1 FYI it looks like we use the ipv4 only version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even up to date nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). The last updated added the ipv6 patch, so you might want to check your words. Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at. -Dan I think they are different tools for differents purpose. I do not see tcp wrapper as a cheap firewall. One of the main purpose of using tcp wrappers is to provide useful log information by default, out of the box. In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service. It can also return messages to connections (sending text back to the connection originator). I am not sure iptable can do this easily. As for the access control feature, I like the concept of having redundant systems in case something fails or gets exploited. That way you are not having your entire systems security hinging on a single point of failure. Are there any other distributions that do not use tcp wrappers at all ? Stéphane
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around... -Dan [1] https://bbs.archlinux.org/viewtopic.php?id=109962 On Fri, Sep 10, 2010 at 7:38 AM, Dan McGee dpmc...@gmail.com wrote: On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX guilla...@archlinux.org wrote: On 9 September 2010 19:39, Dan McGee dpmc...@gmail.com wrote: Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard sshd : ALL : allow line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work! 4. It is not very transparent +1 FYI it looks like we use the ipv4 only version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even up to date nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). The last updated added the ipv6 patch, so you might want to check your words. Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at. -Dan
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
On 13/12/10 11:04, Dan McGee wrote: Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around... Never particularly used it... and if iptables is the better solution then I am happy for it to be removed if all our packages build without it. Packages that link to libwrap.so.0: dante esound exim gdm inetutils libmysqlclient libpulse mailutils mysql net-snmp nfs-utils openldap openssh pulseaudio quota-tools socat stunnel syslog-ng tcp_wrappers tftp-hpa vsftpd xinetd Allan
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
On 9 September 2010 19:39, Dan McGee dpmc...@gmail.com wrote: Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard sshd : ALL : allow line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work! 4. It is not very transparent +1 FYI it looks like we use the ipv4 only version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even up to date nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). -- Guillaume
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX guilla...@archlinux.org wrote: On 9 September 2010 19:39, Dan McGee dpmc...@gmail.com wrote: Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard sshd : ALL : allow line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work! 4. It is not very transparent +1 FYI it looks like we use the ipv4 only version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even up to date nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). The last updated added the ipv6 patch, so you might want to check your words. Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at. -Dan
Re: [arch-dev-public] tcp_wrappers- does anyone actually use it?
On 10 September 2010 14:38, Dan McGee dpmc...@gmail.com wrote: On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX guilla...@archlinux.org wrote: On 9 September 2010 19:39, Dan McGee dpmc...@gmail.com wrote: Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard sshd : ALL : allow line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work! 4. It is not very transparent +1 FYI it looks like we use the ipv4 only version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even up to date nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). The last updated added the ipv6 patch, so you might want to check your words. Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at. -Dan The last updated added the ipv6 patch, so you might want to check your words. Right! My bad. -- Guillaume
[arch-dev-public] tcp_wrappers- does anyone actually use it?
Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard sshd : ALL : allow line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan
