[TriLUG] Re: Problems with hosts.deny hosts.allow

James Manning trilug at sublogic.com
Mon Mar 11 11:25:57 EST 2002


[Jon Carnes]
> If you are simply interested (in an academic way) on the arcane and archaic
> use of the host files, then you might try looking at the man pages (man
> hosts.allow)

It's worth pointing out that they're not necessarily mutually exclusive.
In fact, it is philosophically a good idea to use both.  There's no reason
(that I can tell) to blindly assume there are no bugs in any code base,
user-space or kernel-space.

IOW, while the additional hassle of possibly needing to update multiple
configurations for changes can be annoying, there can be some value in
taking advantage of all possible security settings that are allowed.
After all, if the system in place allows things without rebuilding,
I can't see much of a reason to *not* use it, but admittedly my rules
aren't very complex.

YMMV, of course, but I don't think trashing tcpwrappers is necessarily
a good idea - trashing their exclusive use, yes - trashing them as a
component (by no means the strongest one) in a multi-faceted security
setup seems less so.

At least, as I'm writing this I can't imagine ipchains standalone (hey,
let's go iptables! :) as a more secure solution than ipchains+tcpwrappers.

I know you already know this, Jon, just wanted to offer $.02 although
your original point of tcpwrappers by themselves being crap is still
one I highly agree with.
-- 
James Manning <jmm at sublogic.com>
GPG Key fingerprint = B913 2FBD 14A9 CE18 B2B7  9C8E A0BF B026 EEBB F6E4



More information about the TriLUG mailing list