From Fedora Project Wiki
(Initial commit)
 
Line 60: Line 60:
 
Last version of tcp_wrappers was released 20 years ago (with later addition of IPv6 support). At that time, it was very powerful tool to block "all traffic", but these days we can do the same thing using firewalls/iptables/nftables for "all traffic" or similar filtering exists in most of the applications.
 
Last version of tcp_wrappers was released 20 years ago (with later addition of IPv6 support). At that time, it was very powerful tool to block "all traffic", but these days we can do the same thing using firewalls/iptables/nftables for "all traffic" or similar filtering exists in most of the applications.
  
One of the impulses for this change was removal of TCP wrappers support from systemd and openssh in 2014, based on the thread on fedora devel list [https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html]. I started another thread during 2017 [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2IBVP66BM6HUZVRTFIVURNZUR2XSUMOD/] which is trying to explain the reasons why we should do that with other constructive ideas.
+
One of the motivating factors for this change was removal of TCP wrappers support from systemd and openssh in 2014, based on the thread on fedora devel list [https://lists.fedoraproject.org/pipermail/devel/2014-March/196913.html]. I started another thread during 2017 [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2IBVP66BM6HUZVRTFIVURNZUR2XSUMOD/] which is trying to explain the reasons why we should do that with other constructive ideas.
  
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->

Revision as of 08:55, 13 September 2017


Deprecate TCP wrappers

Summary

TCP wrappers is a simple tool to block incoming connection on application level. This was very useful 20 years ago, when there were no firewalls in Linux. This is not the case for today and connection filtering should be done in network level or completely in application scope if it makes sense. After recent discussions I believe it is time to go for this package, if not completely, than at least as a dependency of modern daemons in system by default.

Owner

  • Name: Jakub Jelen
  • Email: jjelen@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 28
  • Last updated: 2017-09-13
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Last version of tcp_wrappers was released 20 years ago (with later addition of IPv6 support). At that time, it was very powerful tool to block "all traffic", but these days we can do the same thing using firewalls/iptables/nftables for "all traffic" or similar filtering exists in most of the applications.

One of the motivating factors for this change was removal of TCP wrappers support from systemd and openssh in 2014, based on the thread on fedora devel list [1]. I started another thread during 2017 [2] which is trying to explain the reasons why we should do that with other constructive ideas.


Benefit to Fedora

Removing this package from Fedora will remove a package from default and minimal installations (removing dependency of daemons such as SSHD). It also makes the configuration straight-forward for new users (no shared files defining access rules, poorly reporting any errors to users.

Removing the dependency from all packages and retiring the package in single release will minimize users confusion and avoids opening sensitive services after the update.


Scope

  • Proposal owners: Deprecate tcp_wrappers in Fedora, remove dependency on other pacakges maintained and notify other maintainers to follow the same procedure.
  • Other developers: Remove dependency of your software on tcp_wrappers
  • Policies and guidelines: If package will not be retired, update packaging guidelines to NOT RECOMMEND building against tcp_wrappers
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Updating from older versions might expose existing services "protected" by tcp_wrappers before (sshd). The removal needs to be explicitly mentioned in the migration guide/release notes so the users are able to configure different layer of security (firewald, application configuration) if this was the only one they used.


How To Test

You should be able to run system (for example with OpenSSH) without tcp_wrappers package.


User Experience

Users should not notice any difference. System administrators will have to configure different layer of security, if tcp_wrapper was the only one they relied on.


Dependencies

Other packages should be rebuilt without support for tcp_wrappers (if possible). That should be at most tens lines of code change, configure option (if upstream still supports it) or dropping downstream patch.


Contingency Plan

  • Contingency mechanism: tcp_wrappers package will not be retired, offending packages will still carry this dependency, but guidelines should be updated to not recommend building against this package
  • Contingency deadline: Beta freeze?
  • Blocks release? No

Documentation

After removing the libwrap dependency from the openssh, it will stop using rules defines in /etc/hosts.deny. The functionality can be added back to any socket-activated service. For example SSHD:

  • Disable sshd.service
systemctl disable sshd
  • Copy the shipped sshd@.service to /etc:
cp {/usr/lib,/etc}/systemd/system/sshd@.service
  • Modify the ExecStart line in the above file under /ect/ from
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY

to

ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
  • Reload systemctl
systemctl daemon-reload
  • Enable and start sshd.socket
systemctl enable sshd.socket
systemctl start sshd.socket
  • Verify that you can connect to new service (not working now, because it is blocked by SELinux). Blocked by the bug #1482554 [3].

Similar approach can be used for other services, that will drop tcp_wrappers dependency.


Release Notes

Fedora 28 removes support for tcp_wrappers (aka /etc/hosts.deny access files). The preferred replacement is software firewalld/nftables rules or software specific access rules for more complex filtering. If your system security depends on tcp_wrappers rules, convert them to firewall, or set up tcpd to do the same job for you.