VETO! Re: heads up: tcpwrappers support going away

Nico Kadel-Garcia nkadel at
Sat Apr 26 11:14:38 EST 2014

On Wed, Apr 23, 2014 at 3:40 PM, mancha <mancha1 at> wrote:
> On Wed, Apr 23, 2014 at 02:31:43PM -0500, Ben Lindstrom wrote:
>> Personally, I'm glad to see us finally doing away with tcpwrapper. It
>> is a dark part of our history that should be scorched from the planet
>> so we can get people to start doing stuff  the right away^H^H^H^H our way

Fixed That For You(tm).

> Don't use "--with-tcp-wrappers"
> --mancha

tcp_wrappers has been a much, much easier and safer to set up
lightweight, application firewall filter for a *long* time. It's been
useful aand safer to implement than the plethora of easily fractured
firewall configurations configured, and inconsistently configured, by
every GUI script kiddie with an attitude who's never actually learned
to do flow charts and logic diagrams and really understand how
firewalls work.

It's integration with SSH has helped make SSH safer to configure when
touching the firewall was out of the scope of the host specific admin,
and I've personally encountered such situations. (Do not get me
*started* on Puppet, Tuttle, CFengine and Chef admins who will insist
on retaining sitewide control of the firewall configs and really don't
know how to do them well.) iptables and pif are ikely to be overridden
in a larger environment by someone else's standards, but you can get
away with noticeably improved system access control despite this by
configuring at least tcp_wrappers.

Please leave in a lightweight, stable, useful future.

More information about the openssh-unix-dev mailing list