Date: Sat, 26 May 2007 15:50:10 GMT From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow Message-ID: <200705261550.l4QFoALh047876@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/112441; it has been noted by GNATS. From: Giorgos Keramidas <keramida@freebsd.org> To: Andy Kosela <andy.kosela@gmail.com> Cc: bug-followup@freebsd.org Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow Date: Sat, 26 May 2007 18:39:59 +0300 (EEST) On 2007-05-05 13:12, Andy Kosela wrote: > The following lines in /etc/hosts.allow are deprecated and > should be removed. From my understanding of how tcpd is built, > it is built by default with -DPARANOID option turned on so all > requests from DNS mismatched clients are dropped BEFORE looking > at the access tables. > > /etc/hosts.allow: > # Protect against simple DNS spoofing attacks by checking that the > # forward and reverse records for the remote host match. If a mismatch > # occurs, access is denied, and any positive ident response within > # 20 seconds is logged. No protection is afforded against DNS poisoning, > # IP spoofing or more complicated attacks. Hosts with no reverse DNS > # pass this rule. > ALL : PARANOID : RFC931 20 : deny Hi Andy, I don't see -DPARANOID in our src/lib/libwrap Makefile. Are you sure it is the default mode of operation? - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705261550.l4QFoALh047876>