[arch-dev-public] tcp_wrappers- does anyone actually use it?
Guys, For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow. Does anyone use this for anything useful at all? 1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories. -Dan
On 9 September 2010 19:39, Dan McGee <dpmcgee@gmail.com> wrote:
Guys,
For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow.
Does anyone use this for anything useful at all?
1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent
Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories.
-Dan
Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work!
4. It is not very transparent +1
FYI it looks like we use the "ipv4 only" version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz So we are not even "up to date" nor ipv6-compatible ! Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too). -- Guillaume
On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX <guillaume@archlinux.org> wrote:
On 9 September 2010 19:39, Dan McGee <dpmcgee@gmail.com> wrote:
Guys,
For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow.
Does anyone use this for anything useful at all?
1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent
Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories.
-Dan
Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work!
4. It is not very transparent +1
FYI it looks like we use the "ipv4 only" version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz
So we are not even "up to date" nor ipv6-compatible !
Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too).
The last updated added the ipv6 patch, so you might want to check your words. Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at. -Dan
On 10 September 2010 14:38, Dan McGee <dpmcgee@gmail.com> wrote:
On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX <guillaume@archlinux.org> wrote:
On 9 September 2010 19:39, Dan McGee <dpmcgee@gmail.com> wrote:
Guys,
For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow.
Does anyone use this for anything useful at all?
1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent
Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories.
-Dan
Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work!
4. It is not very transparent +1
FYI it looks like we use the "ipv4 only" version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz
So we are not even "up to date" nor ipv6-compatible !
Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too).
The last updated added the ipv6 patch, so you might want to check your words.
Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at.
-Dan
The last updated added the ipv6 patch, so you might want to check your words. Right! My bad.
-- Guillaume
Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around... -Dan [1] https://bbs.archlinux.org/viewtopic.php?id=109962 On Fri, Sep 10, 2010 at 7:38 AM, Dan McGee <dpmcgee@gmail.com> wrote:
On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX <guillaume@archlinux.org> wrote:
On 9 September 2010 19:39, Dan McGee <dpmcgee@gmail.com> wrote:
Guys,
For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow.
Does anyone use this for anything useful at all?
1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent
Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories.
-Dan
Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work!
4. It is not very transparent +1
FYI it looks like we use the "ipv4 only" version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz
So we are not even "up to date" nor ipv6-compatible !
Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too).
The last updated added the ipv6 patch, so you might want to check your words.
Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at.
-Dan
On 13/12/10 11:04, Dan McGee wrote:
Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around...
Never particularly used it... and if iptables is the better solution then I am happy for it to be removed if all our packages build without it. Packages that link to libwrap.so.0: dante esound exim gdm inetutils libmysqlclient libpulse mailutils mysql net-snmp nfs-utils openldap openssh pulseaudio quota-tools socat stunnel syslog-ng tcp_wrappers tftp-hpa vsftpd xinetd Allan
[2010-12-12 19:04:07 -0600] Dan McGee:
Got very little feedback on this last time...any votes?
I'm personally happy to get rid of it. Since nobody said otherwise last time you brought that up, I assume everybody using tcp_wrappers now will gladly switch to iptables. -- Gaetan
Am 13.12.2010 03:04, schrieb Allan McRae:
On 13/12/10 11:04, Dan McGee wrote:
Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around...
Never particularly used it... and if iptables is the better solution then I am happy for it to be removed if all our packages build without it.
I don't know about better: tcp_wrappers is an application-level solution, iptables on the other hand is a transport-level solution. I always tell myself that they solve different problems, but that isn't entirely true - both can be used to restrict or allow access to a particular service.
Packages that link to libwrap.so.0:
dante esound exim gdm inetutils libmysqlclient libpulse mailutils mysql net-snmp nfs-utils openldap openssh pulseaudio quota-tools socat stunnel syslog-ng tcp_wrappers tftp-hpa vsftpd xinetd
And that is the problem: Not all applications use tcp_wrappers (for instance, I don't see apache up there - it has its own built-in application-level configurations for access restrictrion). It seems inconsistent to have to mess with hosts.{allow,deny} for some applications and not for others. The question is, can all these applications be built without tcp_wrappers support?
[2010-12-13 10:41:23 +0100] Thomas Bächler:
It seems inconsistent to have to mess with hosts.{allow,deny} for some applications and not for others. The question is, can all these applications be built without tcp_wrappers support?
There are also network applications that don't support it at all. Shouldn't we just try and get rid of tcp_wrappers in as many packages as we can, knowing that it might remain as a dependency for two or three? -- Gaetan
Le 12 décembre 2010 20:04:07, Dan McGee a écrit :
Got very little feedback on this last time...any votes? Saw another thread[1] in the forums today about it causing problems with mpd this time around...
-Dan
[1] https://bbs.archlinux.org/viewtopic.php?id=109962
On Fri, Sep 10, 2010 at 7:38 AM, Dan McGee <dpmcgee@gmail.com> wrote:
On Fri, Sep 10, 2010 at 2:12 AM, Guillaume ALAUX
<guillaume@archlinux.org> wrote:
On 9 September 2010 19:39, Dan McGee <dpmcgee@gmail.com> wrote:
Guys,
For the umpteenth time today I stared at ssh wondering why it wasn't accepting incoming connections until I remembered about tcp_wrappers junk, and put the standard "sshd : ALL : allow" line in hosts.allow.
Does anyone use this for anything useful at all?
1. The package is now at version 7.6-12 (clearly it is getting a lot of upstream attention) 2. We have 11 patches applied to the package 3. It is inferior to iptables-based filtering 4. It is not very transparent
Discussion welcome, but I am raising a vote to remove this dependency from packages currently using it (hopefully this is possible for all 21 of them, http://www.archlinux.org/packages/core/x86_64/tcp_wrappers/) and eventually remove it from core and the repositories.
-Dan
Well, I must say it gave me headaches several times especially when trying to figure out how to get openldap (and sshd) to work!
4. It is not very transparent
+1
FYI it looks like we use the "ipv4 only" version whereas there is the ipv6-enabled : ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6-ipv6.4.tar.gz
So we are not even "up to date" nor ipv6-compatible !
Adding your other comments, I would vote for a removal of the dependencies. Maybe we can still keep the package in our repos in case someone explicitly want to use it (in that case we could provide de ipv6 version too).
The last updated added the ipv6 patch, so you might want to check your words.
Keeping the package in the repos does no good; it is a shared library that is most often linked in at compile-time so it needs to be present if compiled in, and if not, it won't even be looked at.
-Dan
I think they are different tools for differents purpose. I do not see tcp wrapper as a cheap firewall. One of the main purpose of using tcp wrappers is to provide useful log information by default, out of the box. In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service. It can also return messages to connections (sending text back to the connection originator). I am not sure iptable can do this easily. As for the access control feature, I like the concept of having redundant systems in case something fails or gets exploited. That way you are not having your entire systems security hinging on a single point of failure. Are there any other distributions that do not use tcp wrappers at all ? Stéphane
participants (6)
-
Allan McRae
-
Dan McGee
-
Gaetan Bisson
-
Guillaume ALAUX
-
Stéphane Gaudreault
-
Thomas Bächler