Date: Sun, 27 May 2007 13:10:11 GMT From: "Andy Kosela" <andy.kosela@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow Message-ID: <200705271310.l4RDABXi005660@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/112441; it has been noted by GNATS. From: "Andy Kosela" <andy.kosela@gmail.com> To: "Giorgos Keramidas" <keramida@freebsd.org> Cc: bug-followup@freebsd.org Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow Date: Sun, 27 May 2007 15:03:58 +0200 On 5/26/07, Giorgos Keramidas <keramida@freebsd.org> wrote: > On 2007-05-05 13:12, Andy Kosela wrote: > > The following lines in /etc/hosts.allow are deprecated and > > should be removed. From my understanding of how tcpd is built, > > it is built by default with -DPARANOID option turned on so all > > requests from DNS mismatched clients are dropped BEFORE looking > > at the access tables. > > > > /etc/hosts.allow: > > # Protect against simple DNS spoofing attacks by checking that the > > # forward and reverse records for the remote host match. If a mismatch > > # occurs, access is denied, and any positive ident response within > > # 20 seconds is logged. No protection is afforded against DNS poisoning, > > # IP spoofing or more complicated attacks. Hosts with no reverse DNS > > # pass this rule. > > ALL : PARANOID : RFC931 20 : deny > > Hi Andy, > > I don't see -DPARANOID in our src/lib/libwrap Makefile. > Are you sure it is the default mode of operation? > > - Giorgos > > Hi Giorgos, from src/contrib/tcp_wrappers/Makefile: PARANOID= -DPARANOID but you are right, i didn't notice FreeBSD tcpd is built using src/lib/libwrap. So if i understand correctly DNS mismatched clients are permitted by default FreeBSD installation according to the first entry in /etc/hosts.allow: # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow Do you think this is secure enough? Personally i think that somebody who tries to spoof DNS is potentially an attacker and should be blocked. I see two options here: either add -DPARANOID option as default (it is logically correct to block all DNS mismatched clients, and it is the default operation of contrib tcpd code. or put ALL : PARANOID : RFC931 20 : deny before ALL : ALL : allow in order to help secure the default FreeBSD installations. best regards, Andy Kosela Pythagoras Foundation
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705271310.l4RDABXi005660>