TCP Wrappers or IP address filtering?

[pataquets]

I would like to have some sort of mechanism to filter/drop connections based on black/white lists. I'm fine (actually I prefer) with being able to do it via TCP Wrappers, since I understand it could not be considered a 'core' feature. I've followed http://www.ducea.com/2006/07/02/how-to-find-out-if-a-daemon-was-build-with-tcp-wrappers-support-hostsallowhostsdeny/ and looks like it's not linked.

[pataquets]

Bump. Is it possible?

[gquintard]

If I understand you question correctly, you could do that through ACL.

But, really, that's a job for the firewall.

-- Guillaume Quintard

On Mon, Jul 3, 2017 at 9:31 PM, Alfonso Montero notifications@github.com wrote:

Bump. Is it possible?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/varnish/hitch/issues/183#issuecomment-312719406, or mute the thread https://github.com/notifications/unsubscribe-auth/ADmgKe1w9v1Mmer2kfepibFN7SwQ0-c8ks5sKUF3gaJpZM4N1ilJ .

[pataquets]

Thanks @gquintard. I could not find any reference to ACL in the docs. If you mean ACL'ing IPs in the backend, it sounds suboptimal to me, since there would be wasted resources on negotiating TLS for a droppable connection. Anyway, TCP Wrappers are a quite extended and standard way of connection filtering. They are simpler and easier to maintain than firewalls, too. Do linking Hitch against libtcpwrap makes sense? I can not fully understand the implications of it and perhaps it is nonsense or perhaps it can be a compile time option.

[gquintard]

Apologies, I thought it was a varnish discussion. I'll let @daghf reply regarding the potential of using tcpwrappers.

Why not "simply" use iptables?

[pataquets]

In general:

• Using iptables is harder (IMO) and dangerous
• Less portable, due to different firewalls and versions
• Messes with firewalls (global system/network level), instead of being app-level. This might not be always possible.

In my specific case, it allows me to package the software + the configured IPs inside a Docker container and deploy it without anything else needed from the host system (last bullet point above).

[fourjay]

To add to pataquets list, tcp-wrappers is much easier to implement large lists with, such as the ones provided by global filtering lists like badips.com. There are firewall methods to incorporate these lists, but they typically depend on ipset. iptables alone is simply not optimized for large lists of IP addresses (and even ipset takes a long time to build its lists).