[arch-general] [arch-dev-public] dropping tcp_wrapper support

[Jelle van der Waa]

On 07/16/2011 09:51 PM, Peggy Wilkins wrote:
> On Sat, Jul 16, 2011 at 1:42 PM, Thomas S Hatch<thatch45 at gmail.com>  wrote:
>
>> In the end, I tell people that using tcp_wrappers is unnecessary and unwise,
>> iptables is VERY powerful, and once you understand how rules are constructed
>> and parsed it is an easy and manageable solution.
> I have nothing to say against iptables and other full firewall
> solutions.  However, for my part running a number of desktops for
> other people at work with only sshd as a service, tcp wrappers plus
> denyhosts (plus disabling password authentication for good measure)
> already does exactly what I want.  Performance doesn't enter into this
> issue for us, we have so many spare CPU cycles it's comical.
>
> Everyone doesn't have the same circusmstances and needs.  I just would
> like this option to continue because I'm using it now and I find it
> useful and it meets my immediate needs.  I also don't need my time at
> work diverted into a sudden project to write firewall rules that work
> for every desktop.
You're better of blocking unwanted attempts at ssh with iptables or use 
sshgaurd. Or you could try http://smarden.org/ipsvd/
>> Thanks to the Arch devs for taking this out, this was the right move and I
>> will argue that it has made Arch more secure by not supporting outdated
>> security constructs.
> I view it as taking away my freedom to choose to run what I want in
> the simplest possible way.  This is a major change.  A large part of
> the reason I chose Arch is because it is straightforward to configure,
> hence doesn't require a lot of my time (which is properly spent
> running servers, not desktops) -- an easy way to get Linux on the
> desktop for our site which is otherwise all Windows desktops.  I
> already know the limitations of my choice (and I use full firewalls in
> other situations).
>
> Surely there is a good compromise possible...
There

-- 
Jelle van der Waa