From owner-freebsd-audit  Thu Mar 23 11:34:48 2000
Delivered-To: freebsd-audit@freebsd.org
Received: from morpheus.skynet.be (morpheus.skynet.be [195.238.2.39])
	by hub.freebsd.org (Postfix) with ESMTP id A779B37BA3E
	for <freebsd-audit@FreeBSD.ORG>; Thu, 23 Mar 2000 11:34:46 -0800 (PST)
	(envelope-from blk@skynet.be)
Received: from [195.238.1.121] (brad.techos.skynet.be [195.238.1.121])
	by morpheus.skynet.be (Postfix) with ESMTP
	id 11DFDDB72; Thu, 23 Mar 2000 20:34:27 +0100 (MET)
Mime-Version: 1.0
X-Sender: blk@pop.skynet.be
Message-Id: <v0422080cb5002170b286@[195.238.1.121]>
In-Reply-To: <200003231923.MAA42847@harmony.village.org>
References: <38DA6D77.FB93FC36@vangelderen.org>
 <200003231923.MAA42847@harmony.village.org>
Date: Thu, 23 Mar 2000 20:34:13 +0100
To: Warner Losh <imp@village.org>,
	"Jeroen C. van Gelderen" <jeroen@vangelderen.org>
From: Brad Knowles <blk@skynet.be>
Subject: Re: Portmapper enabled, IPv6 circumvents FW
Cc: FreeBSD Audit List <freebsd-audit@FreeBSD.ORG>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 12:23 PM -0700 2000/3/23, Warner Losh wrote:

>  I've been sent patches that make *ALL* network services off by
>  default.  I'm thinking seriously about committing them to at least
>  -current and maybe to -stable also.  These patches also hack
>  sysinstall to enable them in /etc/rc.conf so as to not effectively
>  change our system defaults.

	I would like very much to see these patches get committed, so 
that the box tends to be secure by default out-of-the-box, and then 
you turn on the additional features you want/need.

	I know that this may make the system a bit harder to use, but I 
think that's a better alternative than making the boxes easier to DoS 
or break into by default.


	Myself, after I've got a machine done with the initial install, I 
go through and turn off virtually everything, before I start adding 
stuff.  If I can install from CD, that means I don't even connect the 
network until the base OS is on the box and I've turned off 
everything I possibly can.

	It would be nice for me if this installation procedure were a 
little easier to do, because that's the way the OS installs 
out-of-the-box.

--
   These are my opinions -- not to be taken as official Skynet policy
======================================================================
Brad Knowles, <blk@skynet.be>                || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49             || B-1140 Brussels
http://www.skynet.be                         || Belgium


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message