Date: Tue, 23 Jan 96 09:12:45 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: Mark Murray <mark@grondar.za> Cc: Nathan Lawson <nlawson@statler.csc.calpoly.edu>, security@FreeBSD.ORG Subject: Re: Ownership of files/tcp_wrappers port Message-ID: <199601231712.JAA08922@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Tue, 23 Jan 96 08:27:30 %2B0200." <199601230627.IAA25371@grumble.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray <mark@grondar.za> wrote:
> Nathan Lawson wrote:
> > Secondly, I was wondering why the tcp_wrappers distribution didn't make it
> > into the source tree instead of being a port. It's a pretty small program
> > that hasn't received too many changes recently. It's very worthwhile and
> > libwrap.a can be linked into portmap and ypserv a lot more easily (even
> > making this the default, perhaps).
>
> I think this is a damn fine idea. Seconded. Any ISP who does not have
> wrappers, and any user who does not consider their use when connecting
> to the 'net has a serious problem.
TCP/Wrapper only partially addresses the problem since it only protects TCP
services run out of INETD. Many attackers go through Sendmail, while others
probe portmapper. The IP firewall code is already there in the kernel. It
doesn't really take much to configure it, even for services that pick random
port numbers such as NFS and YP. For example, any time I dial into work or my
friend's ISP service I automatically activate the IPFW code in the kernel to
protect any services not covered by the TCP/Wrapper.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601231712.JAA08922>