Eric Spakman wrote:
To the package maintainer:
- is it possible to remove the dependency on /etc/hosts.allow since
it would seem to be redundant with shorewall rules?
It is possible to remove the dependency, but there is a reason why p9100
(and a few other packages) are compiled with libwrap support. LEAF is
modular, so it is possible to use LEAF without shorewall as a pure router
or printserver (or whatever), libwrap gives some extra security in the
cases where iptables/shorewall isn't installed.
What you say makes sense (including what followed, about hosts.allow not
being part of pppd.lrp) but I'll offer this counter-position.
To have two places where one must permit an IP address (shorewall &
hosts.allow) is a little obtuse, IMO.
In terms of LEAF as a non-shorewall router, etc I'd propose that since
the default LEAF distro includes shorewall that might tip the scales in
favour of recognizing that shorewall rules are the better, *single*
place for IP restrictions to be placed. Also, newbies (the people most
likely to get tripped up by this double-permission requirement) are less
likely to be able to solve this, then someone who is employing LEAF as a
non-shorewall device, whose users are much more likely to be able to
self-solve, recompile with libwrap support, etc.
Maybe 2 pppd.lrp packages - one default for use with shorewall (no
dependency on hosts.allow) and one standalone? (recognizing too that
more packages = more work for the kind, volunteer maintainers).
This conundrum all might all originate from trying to make LEAF do more
than one thing - firewall & router vs router vs print server (doing two+
things - and the commensurate double-permissions requirement, is maybe a
not-unexpected outcome of trying to do more than one thing and causing
neither task to be performed optimally).
Is there any reason that someone who wants to use LEAF as a, say, print
server, *shouldn't* use shorewall to effect IP addy restrictions?
(Saving space on a floppy is obvious but is there anything more
substantial? And true, adding in a complex package like shorewall vs
compiled-in libwrap support exposes a greater risk of code-bug that
impacts security). Anything else? :)
Anyway, I'm obviously not an impartial party here but wanted to offer
the devil's advocate position, in terms of identifying the 'cost'
associated with the 'benefit' of this multiple-use strategy.
Too, things that make life tough for newbies (I'm not one, FWIW) are a
Bad Thing, again IMO.
Regardless of the final decision I thank you for your taking the time to
reply and explain.
(I also like what Hillel Seltzer said, in terms of "hosts.lpd instead of
hosts.allow'" and IMO think that would be a alternate, ideal solution
since hosts.lpd could [TTBOMK] be safely made a part of the pppd.lrp
package?!)
scott; canada
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
