NFS tcp wrapper situation
Ric Wheeler
rwheeler at redhat.com
Wed Jan 21 23:27:25 UTC 2009
Chris Adams wrote:
> Once upon a time, Steve Grubb <sgrubb at redhat.com> said:
>
>> The day when no one tries IP address spoofing and source routing is the day we
>> can stop shipping this "crap". Until then I thank it for every denial I see
>> in my logs.
>>
>
> Those would be good reasons, if tcpd protected you against those things.
>
> The Linux IPv4 stack has an option "accept_source_route" that is off by
> default, so that protects you there (as do most decent ISPs that disable
> source routing).
>
> TCP_wrappers does nothing to protect against IP spoofing. Secure
> sequence numbers should protect TCP, and proper network design and
> filtering is the only thing that can protect UDP against spoofing.
>
> TCP_wrappers was good before we had host-based firewalls, but is really
> obsolete at this point, except for trying to do access control based on
> DNS (which, for the most part, is a bad idea, as seen in this thread).
>
>
Sounds like it is something that we might want to try to deprecate and
eventually remove.
ric
More information about the fedora-devel-list
mailing list