[CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

Thu Mar 20 23:36:42 UTC 2014
Steven Tardy <sjt5atra at gmail.com>

> On Mar 20, 2014, at 3:48 PM, Matthew Miller <mattdm at mattdm.org> wrote:
> 
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
> 
> I bring this up because we are discussing dropping it from Fedora. This
> would be far enough in the future that it wouldn't impact RHEL 7, and
> therefore won't affect anyone here for Quite Some Time*, but here in the new
> world order of CentOS, I thought it might be useful to check with some
> actual downstream users.
> 
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
> 
> Your feedback appreciated. Thanks!
> 
> 
> * and the standard caveats that Fedora doesn't necessarily determine the
> path for RHEL apply, of course.
> 
> 
> -- 
> Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>

I know a .gov which exclusively uses tcp wrappers instead of iptables. 
1) tcp wrappers is consistent across Unix'ses (Solaris/AIX/Linux)
2) if it ain't broke / resistance to change / etc
3) political / layer 8 issues. Iptables is a firewall and firewalls are handled by the security group not the sysadmin group.


I know a .edu which uses tcp wrappers instead of iptables in a containers environment. With 250+ containers on a 40GB hardware node, iptables used too much RAM since it's resident 100% of the time. Tried using a "fail2ban" equivalent inserting iptables rules and after some number of rules iptables wouldn't take any more. Tcp wrappers scaled much much higher using less RAM.


Political reasons shouldn't prevent removing tcp wrappers, but some technical reasons still exist.

Steven Tardy