Обсуждение: TCP Wrappers
Dear all postgresql developers, I have tested postgres v11 against TCP Wrappers but it does not respond to TCP wrappers port blocking. May I suggest the community to have postgres to work with TCP wrappers.?? Its security will be better. Regards, Timmy
On Wed, Oct 9, 2019 at 12:56 PM Timmy Siu <timmy.siu@aol.com> wrote:
Dear all postgresql developers,
I have tested postgres v11 against TCP Wrappers but it does not respond
to TCP wrappers port blocking.
May I suggest the community to have postgres to work with TCP wrappers.??
Its security will be better.
The last stable release of TCP Wrappers was a couple decades ago. It's deprecated in RHEL7 and removed in RHEL8. I'm not a PG core member or anything but rather doubt that's an area where the developers will want to expend effort.
Cheers,
Steve
Yeah, why bother. Even ’native’ encryption/SSL in PG (were one to use it ‘natively’, as we do) is so good; adding yet another layer seems overkill…
Lou Picciano
On Oct 9, 2019, at 6:39 PM, Steve Crawford <scrawford@pinpointresearch.com> wrote:On Wed, Oct 9, 2019 at 12:56 PM Timmy Siu <timmy.siu@aol.com> wrote:Dear all postgresql developers,
I have tested postgres v11 against TCP Wrappers but it does not respond
to TCP wrappers port blocking.
May I suggest the community to have postgres to work with TCP wrappers.??
Its security will be better.The last stable release of TCP Wrappers was a couple decades ago. It's deprecated in RHEL7 and removed in RHEL8. I'm not a PG core member or anything but rather doubt that's an area where the developers will want to expend effort.Cheers,Steve
Steve Crawford <scrawford@pinpointresearch.com> writes: > On Wed, Oct 9, 2019 at 12:56 PM Timmy Siu <timmy.siu@aol.com> wrote: >> May I suggest the community to have postgres to work with TCP wrappers.?? >> Its security will be better. > The last stable release of TCP Wrappers was a couple decades ago. It's > deprecated in RHEL7 and removed in RHEL8. I'm not a PG core member or > anything but rather doubt that's an area where the developers will want to > expend effort. Yeah. In a quick dig through the project archives, I can find exactly one prior suggestion that we should do this, and that email is old enough to drink: https://www.postgresql.org/message-id/v0313030fb141b1665de9%40%5B137.78.218.94%5D That doesn't bode well for the number of people who would use or care about such a feature. regards, tom lane
On Thu, 10 Oct 2019 at 07:15, Tom Lane <tgl@sss.pgh.pa.us> wrote:
That doesn't bode well for the number of people who would use or care
about such a feature.
Agreed. tcp_wrappers predates the widespread availability of easy, effective software firewalls. Back when services listened on 0.0.0.0 and if you were lucky you had ipfwadm, tcp_wrappers made a lot of sense. Now it's IMO a pointless layer of additional complexity that no longer serves a purpose.