Date: Wed, 3 Feb 1999 00:08:20 -0800 (PST) From: Ian Kallen <ian@gamespot.com> To: security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <Pine.BSF.3.95q.990202234955.13657D-100000@mail.gamespot.com> In-Reply-To: <Pine.BSF.3.96.990203004346.21838E-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For whatever my .02 are worth in all this, I think the point made below is a key point. On Wed, 3 Feb 1999, Robert Watson wrote: :I am all for securing the base system; I just suspect that not enabling :bpfilter by default does little to help without a more concerted security :context, but does prevent basic necessary functionality. If the context includes a system with wrappers installed by default, configured in inetd.conf, ALL:ALL in hosts.deny copiously commented with how to populate hosts.allow (and include one with commented examples), a more demanding passwd program (and one of these days I'll send in my patch to useradd that enforces good passwords and sets password and account expirations :), maybe tripwire installed & run by default and other beefing up measures, I'd be all for having bpf on board out of the box. Since a growing number people who are new to Unix are installing, I think a conservative stance needs to be taken. I keep hearing of people who've been rooted 'cause they heard about these great non-MS OS in the popular press and they blithely install not realizing that their fly is down when they connect to the network. 'course, the victims are usually using very old distribution CD's (complete with old poppers and imapd) or Linux but since we can, I'd rather err on the side of conservatism anyway. -- Ian Kallen <ian@gamespot.com> ICQ: 17073910 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.990202234955.13657D-100000>