NFS tcp wrapper situation

Thu Jan 22 00:48:54 UTC 2009

Once upon a time, Ric Wheeler <rwheeler at redhat.com> said:
> Chris Adams wrote:
> >TCP_wrappers was good before we had host-based firewalls, but is really
> >obsolete at this point, except for trying to do access control based on
> >DNS (which, for the most part, is a bad idea, as seen in this thread).
> >  
> Sounds like it is something that we might want to try to deprecate and 
> eventually remove.

I hadn't really given it much thought before this thread, but that
really may be the case (IMHO of course).

TCP_wrappers functions that are not really useful now:

- connection logging; this came when executed directly (e.g. from old
  inetd), but I don't think anything uses that now (xinetd, NFS,
  OpenSSH, etc. use their own logging instead of tcp_wrappers'); now
  that I look, I see rpcbind has a "-l" option that looks like it uses
  libwrap's logging (option is not on by default)

- basic allow/deny access control on a per-host and per-service basis;
  this can also be done with iptables for most services (and iptables is
  better, since that keeps any system daemon from even seeing a
  connection => lower load, less possible vulnerability, etc.)

- IDENT lookup (I don't believe anything uses this now)

There are some things that you can still do with TCP_wrappers that you
can't easily do in other ways:

- control access to RPC services that live on essentially random ports

- do DNS-based access control (which can seem useful but is often a bad
  idea)

- easier to manage "dynamic" access control such as done with denyhosts

The annoying thing about even considering deprecating TCP_wrappers is
that for most (if not all) current use, it is a build-time decision.  If
you build e.g. OpenSSH without -lwrap, there is no way to add that
functionality back.  Somebody could teach denyhosts about iptables
instead of /etc/hosts.deny (shouldn't be too hard to manage with a
couple of new scripts).

That brings me back to RPC services though, which means NFS (which
started all of this).  Some of the NFS component services have fixed
ports now (even though they still register with portmapper), such as
nfsd (2049) and rquotad (875), but I believe that mountd, lockd, and
statd all run on portmapper-assigned random ports.  The only way to
control access to them is currently TCP_wrappers.

Ideally, there'd be an iptables module or something that could track RPC
assigments and limit access, but that isn't a simple thing.
Alternately, you could have the portmapper have a callout to a script
that could modify iptables settings.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.