From owner-freebsd-stable  Sun Oct 11 18:08:01 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA15835
          for freebsd-stable-outgoing; Sun, 11 Oct 1998 18:08:01 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA15796
          for <stable@FreeBSD.ORG>; Sun, 11 Oct 1998 18:07:56 -0700 (PDT)
          (envelope-from nbm@rucus.ru.ac.za)
Received: (qmail 27894 invoked by uid 1003); 12 Oct 1998 01:07:43 -0000
Message-ID: <19981012030740.A25211@rucus.ru.ac.za>
Date: Mon, 12 Oct 1998 03:07:41 +0200
From: Neil Blakey-Milner <nbm@rucus.ru.ac.za>
To: Andrew Bromage <bromage@queens.unimelb.edu.au>, chad@dcfinc.com,
        stable@FreeBSD.ORG
Subject: Re: firewalling
References: <199810092329.QAA28466@freebie.dcfinc.com> <19981010145451.34491@queens.unimelb.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <19981010145451.34491@queens.unimelb.edu.au>; from Andrew Bromage on Sat, Oct 10, 1998 at 02:54:51PM +1000
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat 1998-10-10 (14:54), Andrew Bromage wrote:
> On Fri, Oct 09, 1998 at 04:29:55PM -0700, Chad R. Larson wrote:
> > Does anyone have an opinion (now there's a stupid question) about IP
> > firewalling vs TCP wrappers to protect a server exposed to the great
> > unwashed Internet?
> 
> Just as a matter of interest, is there a reason why you don't want to
> use both?

I must agree here.

Not every service you run runs from inetd, which is the easiest thing to
transfer to TCP wrappers.

Things like web servers, ssh, irc servers, named, SQL databases, smbd, and
so forth aren't necessarily easy to convert to TCP wrappers.

And if (heaven, or whichever paradise-like quasi-elemental plane you believe
in, forbid) there is ever a security hole in TCP wrappers, inetd, sshd, smbd,
or any other service that runs as root (and some that don't), you're going to
wish you'd used IP firewalling so that the people on the outside don't even
get to see what you're running, let alone exploit it. (bind being a recent
example)

Of course, with TCP wrappers you can easily put up those cute banners to say
that access has been denied, contact the systems administrator on pain of
death if you think you deserve access. :)

Anyway, you _did_ ask for opinions :)

Neil
-- 
Neil Blakey-Milner
nbm@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message