From owner-freebsd-security Tue Jan 23 12:10:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA12821 for security-outgoing; Tue, 23 Jan 1996 12:10:41 -0800 (PST) Received: from statler.csc.calpoly.edu (statler-srv.csc.calpoly.edu [129.65.241.4]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA12814 for ; Tue, 23 Jan 1996 12:10:37 -0800 (PST) Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id MAA11051; Tue, 23 Jan 1996 12:10:16 -0800 From: Nathan Lawson Message-Id: <199601232010.MAA11051@statler.csc.calpoly.edu> Subject: Re: Ownership of files/tcp_wrappers port To: pete@sms.fi (Petri Helenius) Date: Tue, 23 Jan 1996 12:10:15 -0800 (PST) Cc: security@freebsd.org In-Reply-To: <199601231004.MAA17990@silver.sms.fi> from "Petri Helenius" at Jan 23, 96 12:04:45 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk > Paul Traina writes: > > > > I totally and completely disagree. I do not want to be bound by your > > idea of what's proper for the core part of the system. That's why we > > have a generic source distribution and you can personalize your system > > to your hearts content. > > > > Read: I will wish seriously bad karma on anyone who unilaterally bloats > > out the system with the wrapper code. There is NO good reason to > > make it anything other than a port -- which makes it OPTIONAL to > > install and easy to track 3rd party changes. > > I couldn't agree more. Many places do have adequate firewalling procedures > already in place and wrappers would do only more administrative overhead > with no additional security. And even more places do not have a firewall. Do you want to put a label on FreeBSD that says "Warning: do not connect to Internet without a firewall"? Of course, a firewall is a good first step, but there have been many ways to circumvent packet-filtering routers, and some interesting attacks over application level gateways. Personally, I'd like to know when Bob over in Accounting telnets to my machine. Or perhaps small ISP's that can't afford a firewall. I suggested that tcp_wrappers be installed in such a way as to minimize the administrative overhead. Compile it without ident and paranoid logging, and don't put anything in /etc/hosts.deny except some sample, commented-out, denies. That way, all you get originally is increased logging, and you can add the RFC931 and PARANOID options to the /etc/hosts.allow files _without_ recompiling (if you should desire). -- Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, Owner: \when she told me 'mad and meaningless as ever...' and a song Cal Poly State \came on the radio like a cemetery rhyme for a million crying University \corpses in their tragedy of respectable existence. - BR