[blfs-dev] [blfs-book] r10486 - in trunk/BOOK: . archive gnome/core introduction/welcome multimedia/libdriv multimedia/videoutils networking/netprogs postlfs/security pst/printing pst/scanning server/databases server/mail server/major server/other xsoft/other
bruce.dubbs at gmail.com
Sat Aug 25 08:05:18 PDT 2012
Ken Moffat wrote:
> On Fri, Aug 24, 2012 at 11:12:02PM -0500, Bruce Dubbs wrote:
>> krejzi at linuxfromscratch.org wrote:
>>> Author: krejzi
>>> Date: 2012-08-01 06:04:22 -0600 (Wed, 01 Aug 2012)
>>> New Revision: 10486
>> I just noticed this.
>> Why did you remove tcpwrappers? I recall saying I don't like it or use
>> it, but some other programs do use it. It's mentioned in sendmail,
>> nfs-utils, vsftpd, and exim as well as xinetd which I'm restoring.
>> I think it's a legitimate optional dependency. It builds OK in 7.2.
> There was general agreement that it should go. I didn't like the
> decision, but there was general agreement that if arch can drop it,
> so can we. I've moved to iptables (_fun_ : that reminds me, I
> must remember to fix my iptables scripts re multicast spamming the
> logs) - I didn't think tcp_wrappers were a big overhead, but I have
> to agree that they aren't the only way of providing that control.
I guess the point is what users may expect. I think that applications
that can use tcpwrappers should mention it, but I suppose it could be as
an external reference with a "(depricated)" flag.
> Relatedly : for iptables, why isn't it a regular script in init.d ?
That's the way I've always done it. When I added the section on setting
up a firewall, I just used what I'd always done. There's the scriot
/etc/init.d/iptables, but the script rc.iptables is, in a way,
configuration. It doesn't really fit in either /etc/init.d or
/etc/sysconfig. Other distros make what is rc.iptables into
configuration file by just removing the 'iptables' executable. I don't
like that as it's an unneeded level of indirection.
> And is there any interest in _different_ variants ? e.g. on this
> (7.2 :) desktop I've got rules for ssh (if I started it), tcp and
> udp if established or related, loopback, dns, ntp, icmp if related -
> and I should also permit multicast.
What you should have is a different discussion. I've never been able to
get straming radio to work over the internet and it may be because IP
ports above 225 get blocked.
More information about the blfs-dev