As a follow-up to the discussion here, libwrap replaces the old NUT ACL
functionality in the upcoming nut-2.4.0 release. This provides
application-level connection filtering using a fairly well-known ACL
syntax.
--
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
On Wed, Aug 27, 2008 at 12:37:20AM -, Charles Lepple wrote:
Well, most sysadmins that I know, including the sysadmin that is
me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Understood, but at the very least,
Hi there,
2008/8/27 Charles Lepple :
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
...
This is starting to stray from the original issue in this bug
regarding 2.2.1. I don't want to misrepresent the intentions of the
rest of the NUT team - do you mind if I quote this message and some
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Note also that newer versions of NUT are dropping ACLs in favor of
binding to interfaces (with a
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is
me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Understood, but at the very least,
On Fri, Aug 22, 2008 at 6:26 PM, Steve Langasek wrote:
So since denying appears to be the default, it seems that the only case
broken by this is giving all IP addresses access to nut. Is this ever
really a good idea? Or have I overlooked some other reason that this
makes sense?
Steve,
Hi Chuck,
I have doubts whether this particular bug warrants an update. My
understanding from reading the patch is that the reason the acl fails to
work as intended is not because the sense of the acl is inverted, but
because the acl matches no addresses instead of all addresses.
So since