From owner-freebsd-security  Wed Feb  3 00:08:26 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA20145
          for freebsd-security-outgoing; Wed, 3 Feb 1999 00:08:26 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.gamespot.com (ns2.gamespot.com [206.169.18.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA20137
          for <security@FreeBSD.ORG>; Wed, 3 Feb 1999 00:08:23 -0800 (PST)
          (envelope-from ian@gamespot.com)
Received: from localhost (ian@localhost)
	by mail.gamespot.com (8.9.0/8.9.0) with SMTP id AAA04040
	for <security@FreeBSD.ORG>; Wed, 3 Feb 1999 00:08:20 -0800 (PST)
Date: Wed, 3 Feb 1999 00:08:20 -0800 (PST)
From: Ian Kallen <ian@gamespot.com>
To: security@FreeBSD.ORG
Subject: Re: tcpdump 
In-Reply-To: <Pine.BSF.3.96.990203004346.21838E-100000@fledge.watson.org>
Message-ID: <Pine.BSF.3.95q.990202234955.13657D-100000@mail.gamespot.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


For whatever my .02 are worth in all this, I think the point made below is
a key point.

On Wed, 3 Feb 1999, Robert Watson wrote:
:I am all for securing the base system; I just suspect that not enabling
:bpfilter by default does little to help without a more concerted security
:context, but does prevent basic necessary functionality.

If the context includes a system with wrappers installed by default, 
configured in inetd.conf, ALL:ALL in hosts.deny copiously commented with
how to populate hosts.allow (and include one with commented examples), a
more demanding passwd program (and one of these days I'll send in
my patch to useradd that enforces good passwords and sets password and
account expirations :), maybe tripwire installed & run by default and
other beefing up measures, I'd be all for having bpf on board out of the
box.

Since a growing number people who are new to Unix are installing, I think
a conservative stance needs to be taken.  I keep hearing of people who've
been rooted 'cause they heard about these great non-MS OS in the popular
press and they blithely install not realizing that their fly is down when
they connect to the network.  'course, the victims are usually using very
old distribution CD's (complete with old poppers and imapd) or Linux but
since we can, I'd rather err on the side of conservatism anyway.

--
Ian Kallen <ian@gamespot.com>				ICQ: 17073910


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message