[blfs-dev] [blfs-book] r10486 - in trunk/BOOK: . archive gnome/core introduction/welcome multimedia/libdriv multimedia/videoutils networking/netprogs postlfs/security pst/printing pst/scanning server/databases server/mail server/major server/other xsoft/other

Bruce Dubbs bruce.dubbs at gmail.com
Sat Aug 25 08:05:18 PDT 2012

Ken Moffat wrote:
> On Fri, Aug 24, 2012 at 11:12:02PM -0500, Bruce Dubbs wrote:
>> krejzi at linuxfromscratch.org wrote:
>>> Author: krejzi
>>> Date: 2012-08-01 06:04:22 -0600 (Wed, 01 Aug 2012)
>>> New Revision: 10486
>>> Added:
>>>      trunk/BOOK/archive/tcpwrappers.xml
>>> Removed:
>>>      trunk/BOOK/postlfs/security/tcpwrappers.xml
>> Armin,
>> I just noticed this.
>> Why did you remove tcpwrappers?  I recall saying I don't like it or use
>> it, but some other programs do use it.  It's mentioned in sendmail,
>> nfs-utils, vsftpd, and exim as well as xinetd which I'm restoring.
>> I think it's a legitimate optional dependency.  It builds OK in 7.2.

>   There was general agreement that it should go.  I didn't like the
> decision, but there was general agreement that if arch can drop it,
> so can we.  I've moved to iptables (_fun_ : that reminds me, I
> must remember to fix my iptables scripts re multicast spamming the
> logs) - I didn't think tcp_wrappers were a big overhead, but I have
> to agree that they aren't the only way of providing that control.

I guess the point is what users may expect.  I think that applications 
that can use tcpwrappers should mention it, but I suppose it could be as 
an external reference with a "(depricated)" flag.

>   Relatedly : for iptables, why isn't it a regular script in init.d ?

That's the way I've always done it.  When I added the section on setting 
up a firewall, I just used what I'd always done.  There's the scriot 
/etc/init.d/iptables, but the script rc.iptables is, in a way, 
configuration.  It doesn't really fit in either /etc/init.d or 
/etc/sysconfig.  Other distros make what is rc.iptables into 
configuration file by just removing the 'iptables' executable.  I don't 
like that as it's an unneeded level of indirection.

> And is there any interest in _different_ variants ?  e.g. on this
> (7.2 :) desktop I've got rules for ssh (if I started it), tcp and
> udp if established or related, loopback, dns, ntp, icmp if related -
> and I should also permit multicast.

What you should have is a different discussion.  I've never been able to 
get straming radio to work over the internet and it may be because IP 
ports above 225 get blocked.

   -- Bruce

More information about the blfs-dev mailing list