On Sat, Jul 16, 2011 at 1:42 PM, Thomas S Hatch <thatch45@gmail.com> wrote:
In the end, I tell people that using tcp_wrappers is unnecessary and unwise, iptables is VERY powerful, and once you understand how rules are constructed and parsed it is an easy and manageable solution.
I have nothing to say against iptables and other full firewall solutions. However, for my part running a number of desktops for other people at work with only sshd as a service, tcp wrappers plus denyhosts (plus disabling password authentication for good measure) already does exactly what I want. Performance doesn't enter into this issue for us, we have so many spare CPU cycles it's comical. Everyone doesn't have the same circusmstances and needs. I just would like this option to continue because I'm using it now and I find it useful and it meets my immediate needs. I also don't need my time at work diverted into a sudden project to write firewall rules that work for every desktop.
Thanks to the Arch devs for taking this out, this was the right move and I will argue that it has made Arch more secure by not supporting outdated security constructs.
I view it as taking away my freedom to choose to run what I want in the simplest possible way. This is a major change. A large part of the reason I chose Arch is because it is straightforward to configure, hence doesn't require a lot of my time (which is properly spent running servers, not desktops) -- an easy way to get Linux on the desktop for our site which is otherwise all Windows desktops. I already know the limitations of my choice (and I use full firewalls in other situations). Surely there is a good compromise possible...