On Thursday 20 March 2014 19:45:32 Lennart Poettering wrote:
No. systemd is not a firewall. It currently supports libwrap checks
for
socket activated services. And I'd really like to get rid of that...
Confession: I've never bothered looking in tcpwrappers code/api, so
I'll take your assessment that this code should be thrown away...
However, the functionality *at the service level* has its value,
as a complement to firewall rules which are global by nature.
Let's look at familiar NON-tcpwrappers examples:
* Every sane network service allows you to bind to specific interfaces
although you could protect them via firewall rules.
It's not *only* security, but also flexibility (e.g: running several
instances on several [physical or virtual] network interfaces).
Sometimes it's just extra *safety* (e.g: you don't want an internal
DHCP server to answer hosts on the corporate network by mistake).
* You mentioned yourself the sshd "Match" keyword. Again, it's not just
"security" per-se, but the softer ability to control a network
resource *at the service level*.
* xinetd also support some socket control options (besides optional
tcpwrappers integration). E.g: "per_source" or "cps" directives.
* Last, a somewhat theoretical example. User-level services.
(e.g: screen sharing of personal desktop like "krfb").
The non-root user may not have global control on the host and firewall
but may want to set limits who can bother him/her.
(it's theoretical simply because current implementations doesn't
give the user any such control ;-)
So is there any chance to have similar functionality?
* IMO, exact feature/syntax parity with tcpwrappers isn't important at all.
* However, *some* optional socket control/limits in <service>.socket file
would go a long way.
* If this happens to be implemented in a small library with sane API,
it may even contribute to the direct replacement of tcpwrappers
in other network services that need similar features...
Thanks,
--
Oron Peled Voice: +972-4-8228492
oron(a)actcom.co.il
http://users.actcom.co.il/~oron
"The wonderful thing about standards is that there are so many of
them to choose from."
-- Grace Murray Hopper