Florian Weimer wrote:
- Michael Ströder:
Hmm, I will drop it since the same functionality can be easily achieved on this platform by using local kernel firewall.
The DNS-based access rules are not available as part of the kernel firewall. For some odd reasons, a lot of people think this tcpwrappers feature is insecure, but it seems a rather convenient way to get *additional* security in cases where you have proper reverse lookup (with matching forward lookup) and fragmented address space that does not lend itself easily to writing access rules.
But as I said, this goes against accepted wisdom, so these additional filters probably don't make it through security audits, and carrying along this support at the tool level does not make much sense anymore:
https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html
Interesting discussion. There seems to be an inherent belief that old code is bad code. *Bad* code is bad code, and *good* code is good regardless of its age. The fact that TCP wrappers has been basically unmaintained since 2003 only indicates that it has not needed any new features since then. (And as I was one of the original authors in 1992, I know very well that it contains code that has never needed fixing...)
Your point about layered security is well taken though. As for DNS-based access rules, I've always considered them a liability; the cost of doing a reverse DNS lookup was something I'd never use in my own sites.