Mailinglist Archive: opensuse (1460 mails)

< Previous Next >
[opensuse] TCP wrappers and SuSEfirewall2
Along with many others, I discovered that TCP wrappers were no longer available for ssh in 13.2. The advice given a year ago [1] that "TCP wrappers were a hack and needed back when you didn't have firewalls. Now you do and iptables does a lot more, better and faster" seemed to me to be glib and superficial, since iptables are no easier to hack than sendmail, and opensuse does not support use of the SuSEfirewall2 hooks. The user is on his or her own in a difficult area.

I looked at the feasibility of an automatic translation of the TCP wrappers configuration file hosts.allow to a SuSEfirewall2 extension. I now have the Bash script working for my own use. It translates the hosts.allow client_list to an ipset collection, and generates a hook function fw_custom_after_chain_creation which adds the "hosts.allow" configuration to the SuSEfirewall2 set-up script.

Since the Bash script does not require TCP wrappers, it may be used for any service, e.g. http, rsync, openvpn. My hosts.allow configuration file contains two short rules covering 4 services. The Bash script takes 3 min 24 sec, processing 9746 ipset hash:net elements at 2866/min on a Dell Precision 690. The function fw_custom_after_chain_creation contains only 4 iptables statements in filter:INPUT for the filtering, with an additional three for logging.

Full details and Bash script download are at http://rogerprice.org/hosts.allow

Roger

[1] Message #6 at https://forums.opensuse.org/showthread.php/505226-Is-file-etc-hosts-deny-disabled-on-OpensSuse-13-2

(Sorry if this is a duplicate posting)
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread