From owner-freebsd-security  Tue Jan 23 09:14:48 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA03023
          for security-outgoing; Tue, 23 Jan 1996 09:14:48 -0800 (PST)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA03017
          for <security@FreeBSD.ORG>; Tue, 23 Jan 1996 09:14:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id JAA08922; Tue, 23 Jan 1996 09:12:45 -0800 (PST)
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
Message-Id: <199601231712.JAA08922@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol
Reply-to: cschuber@orca.gov.bc.ca
X-Mailer: DXmail
To: Mark Murray <mark@grondar.za>
cc: Nathan Lawson     <nlawson@statler.csc.calpoly.edu>, security@FreeBSD.ORG
Subject: Re: Ownership of files/tcp_wrappers port  
In-reply-to: Your message of "Tue, 23 Jan 96 08:27:30 +0200."
             <199601230627.IAA25371@grumble.grondar.za> 
Date: Tue, 23 Jan 96 09:12:45 -0800
X-Mts: smtp
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

Mark Murray <mark@grondar.za> wrote:
> Nathan Lawson wrote:
> > Secondly, I was wondering why the tcp_wrappers distribution didn't make it
> > into the source tree instead of being a port.  It's a pretty small program
> > that hasn't received too many changes recently.  It's very worthwhile and
> > libwrap.a can be linked into portmap and ypserv a lot more easily (even
> > making this the default, perhaps).
> 
> I think this is a damn fine idea. Seconded. Any ISP who does not have
> wrappers, and any user who does not consider their use when connecting
> to the 'net has a serious problem.

TCP/Wrapper only partially addresses the problem since it only protects TCP 
services run out of INETD.  Many attackers go through Sendmail, while others 
probe portmapper.  The IP firewall code is already there in the kernel.  It 
doesn't really take much to configure it, even for services that pick random 
port numbers such as NFS and YP.  For example, any time I dial into work or my 
friend's ISP service I automatically activate the IPFW code in the kernel to 
protect any services not covered by the TCP/Wrapper.


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."