any external app can be down at any time, while openssh remains active and exposed, BUT libwrap is baked into openssh, so the protection will hold. Libwrap is the last line of defense. Why remove it? On Wed, Jun 23, 2021 at 1:01 PM Lars Nood?n <lars.nooden at gmx.com> wrote:> On 6/23/21 5:54 PM, Saint Michael wrote: > > I compiled the latest version, 8.1, inside Centos 7.9, and > [snip] > > What use-case would there be there for tcpwrappers that cannot be better > solved with a packet filter? In the case of CentOS 7 you have nftables > and iptables. > > /Lars > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Libwrap has never been part of OpenSSH (or if it was it was removed when OpenBSD team forked the original SSHv1 source back in 1999).? This has always been a 3rd party patchset. Ben Saint Michael wrote on 6/23/21 12:31 PM:> any external app can be down at any time, while openssh remains active and > exposed, BUT libwrap is baked into openssh, so the protection will hold. > Libwrap is the last line of defense. Why remove it? > > On Wed, Jun 23, 2021 at 1:01 PM Lars Nood?n <lars.nooden at gmx.com> wrote: > >> On 6/23/21 5:54 PM, Saint Michael wrote: >>> I compiled the latest version, 8.1, inside Centos 7.9, and >> [snip] >> >> What use-case would there be there for tcpwrappers that cannot be better >> solved with a packet filter? In the case of CentOS 7 you have nftables >> and iptables. >> >> /Lars >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
iptables is not an external app. It's never "down" any more than /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do even better? Tom.III On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax at gmail.com> wrote:> any external app can be down at any time, while openssh remains active and > exposed, BUT libwrap is baked into openssh, so the protection will hold. > Libwrap is the last line of defense. Why remove it? > > On Wed, Jun 23, 2021 at 1:01 PM Lars Nood?n <lars.nooden at gmx.com> wrote: > > > On 6/23/21 5:54 PM, Saint Michael wrote: > > > I compiled the latest version, 8.1, inside Centos 7.9, and > > [snip] > > > > What use-case would there be there for tcpwrappers that cannot be better > > solved with a packet filter? In the case of CentOS 7 you have nftables > > and iptables. > > > > /Lars > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >