[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Performance impact of linking libwrap

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Performance impact of linking libwrap
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 10 Dec 2014 19:58:08 +0100
Cc: Howard Chu <hyc@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <54871479.3040805@stroeder.com> ("Michael Ströder"'s message of "Tue, 09 Dec 2014 16:25:45 +0100")
References: <548704F9.7030504@stroeder.com> <5487131F.2030109@symas.com> <54871479.3040805@stroeder.com>

* Michael Ströder:

> Hmm, I will drop it since the same functionality can be easily achieved on
> this platform by using local kernel firewall.

The DNS-based access rules are not available as part of the kernel
firewall.  For some odd reasons, a lot of people think this
tcpwrappers feature is insecure, but it seems a rather convenient way
to get *additional* security in cases where you have proper reverse
lookup (with matching forward lookup) and fragmented address space
that does not lend itself easily to writing access rules.

But as I said, this goes against accepted wisdom, so these additional
filters probably don't make it through security audits, and carrying
along this support at the tool level does not make much sense anymore:

<https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html>

Follow-Ups:
- Re: Performance impact of linking libwrap
  - From: Michael Ströder <michael@stroeder.com>
- Re: Performance impact of linking libwrap
  - From: Howard Chu <hyc@symas.com>

References:
- Performance impact of linking libwrap
  - From: Michael Ströder <michael@stroeder.com>
- Re: Performance impact of linking libwrap
  - From: Howard Chu <hyc@symas.com>
- Re: Performance impact of linking libwrap
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: ./configure option for /usr/sbin/slapd
Next by Date: Re: ./configure option for /usr/sbin/slapd
Index(es):
- Chronological
- Thread