[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Performance impact of linking libwrap



Florian Weimer wrote:
* Michael Ströder:

Hmm, I will drop it since the same functionality can be easily achieved on
this platform by using local kernel firewall.

The DNS-based access rules are not available as part of the kernel
firewall.  For some odd reasons, a lot of people think this
tcpwrappers feature is insecure, but it seems a rather convenient way
to get *additional* security in cases where you have proper reverse
lookup (with matching forward lookup) and fragmented address space
that does not lend itself easily to writing access rules.

But as I said, this goes against accepted wisdom, so these additional
filters probably don't make it through security audits, and carrying
along this support at the tool level does not make much sense anymore:

<https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html>

Interesting discussion. There seems to be an inherent belief that old code is bad code. *Bad* code is bad code, and *good* code is good regardless of its age. The fact that TCP wrappers has been basically unmaintained since 2003 only indicates that it has not needed any new features since then. (And as I was one of the original authors in 1992, I know very well that it contains code that has never needed fixing...)

Your point about layered security is well taken though. As for DNS-based access rules, I've always considered them a liability; the cost of doing a reverse DNS lookup was something I'd never use in my own sites.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/