From owner-freebsd-security  Wed Jan 24 09:17:15 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA07029
          for security-outgoing; Wed, 24 Jan 1996 09:17:15 -0800 (PST)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA07012
          for <security@FreeBSD.org>; Wed, 24 Jan 1996 09:16:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id JAA13076; Wed, 24 Jan 1996 09:16:31 -0800 (PST)
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
Message-Id: <199601241716.JAA13076@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol
Reply-to: cschuber@orca.gov.bc.ca
X-Mailer: DXmail
To: Nathan Lawson <nlawson@statler.csc.calpoly.edu>
cc: pst@shockwave.com (Paul Traina), security@FreeBSD.org
Subject: Re: Ownership of files/tcp_wrappers port  
In-reply-to: Your message of "Tue, 23 Jan 96 12:06:06 PST."
             <199601232006.MAA11043@statler.csc.calpoly.edu> 
Date: Wed, 24 Jan 96 09:16:31 -0800
X-Mts: smtp
Sender: owner-security@FreeBSD.org
Precedence: bulk

Nathan Lawson <nlawson@statler.csc.calpoly.edu> writes:
> > 	(b) it's already trivial for a user to add this support into the
> > 	    base system should they desire it
> 
> Not true.  Many utilities like mountd, portmap, and ypserv have to be 
> recompiled to have additional access control, inetd.conf has to be changed,
> etc.  Repeat this on several hundred machines and you start seeing Slackware'
s
> divided install look pretty good.

I disagree.  There is no need to recompile these utilities to have any 
additional access control if you want to use the IPFW code that is already in 
the kernel.  The IPFW code in the kernel doesn't do any DNS lookups like TCPD 
does but it gives you a basic level of security without breaking any application 
code.

It may be an idea to enhance the IPFW code in the kernel to do some periodic DNS 
lookups, e.g. if this is the first time the kernel has seen a packet from 
location X or if location X hasn't been verified in N hours/minutes then do the 
appropriate lookups to make IP spoofing more difficult. A kernel level 
KILL_IP_OPTIONS option could be a valuable extension as well.

By keeping the code in the kernel (or library), adding additional security 
features to a service and controlling these features could be performed via some 
config file rather than a recompile.


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."