TCP Wrappers or IP address filtering? #183
Comments
|
Bump. Is it possible? |
|
If I understand you question correctly, you could do that through ACL.
But, really, that's a job for the firewall.
…--
Guillaume Quintard
On Mon, Jul 3, 2017 at 9:31 PM, Alfonso Montero ***@***.***> wrote:
Bump. Is it possible?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#183 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADmgKe1w9v1Mmer2kfepibFN7SwQ0-c8ks5sKUF3gaJpZM4N1ilJ>
.
|
|
Thanks @gquintard. I could not find any reference to ACL in the docs. If you mean ACL'ing IPs in the backend, it sounds suboptimal to me, since there would be wasted resources on negotiating TLS for a droppable connection. |
|
Apologies, I thought it was a varnish discussion. I'll let @daghf reply regarding the potential of using tcpwrappers. Why not "simply" use iptables? |
|
In general:
In my specific case, it allows me to package the software + the configured IPs inside a Docker container and deploy it without anything else needed from the host system (last bullet point above). |
|
To add to pataquets list, tcp-wrappers is much easier to implement large lists with, such as the ones provided by global filtering lists like badips.com. There are firewall methods to incorporate these lists, but they typically depend on ipset. iptables alone is simply not optimized for large lists of IP addresses (and even ipset takes a long time to build its lists). |
I would like to have some sort of mechanism to filter/drop connections based on black/white lists.
I'm fine (actually I prefer) with being able to do it via TCP Wrappers, since I understand it could not be considered a 'core' feature.
I've followed http://www.ducea.com/2006/07/02/how-to-find-out-if-a-daemon-was-build-with-tcp-wrappers-support-hostsallowhostsdeny/ and looks like it's not linked.
The text was updated successfully, but these errors were encountered: