On 9 September 2010 19:39, Dan McGee <dpmcgee@gmail.com> wrote:
Guys,
For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow.
Does anyone use this for anything useful at all?
1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent
Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories.
-Dan
Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work!
4. It is not very transparent +1
FYI it looks like we use the "ipv4 only" version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even "up to date" nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). -- Guillaume