Date: Thu, 11 Sep 1997 07:56:04 +0200 From: Andreas Klemm <andreas@klemm.gtn.com> To: Torsten Blum <torstenb@onizuka.tb.9715.org> Cc: Mark Murray <mark@grondar.za>, ports@freebsd.org Subject: Re: Major bogon in tcp_wrappers port. Message-ID: <19970911075604.13003@klemm.gtn.com> In-Reply-To: <m0x8urQ-0006haC@onizuka.tb.9715.org>; from Torsten Blum on Thu, Sep 11, 1997 at 12:03:44AM %2B0200 References: <199709101631.SAA00382@greenpeace.grondar.za> <m0x8urQ-0006haC@onizuka.tb.9715.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 11, 1997 at 12:03:44AM +0200, Torsten Blum wrote:
> Mark Murray wrote:
>
> > (Sendmail has such hooks, so does ssh (and I believe cvsupd as well?))
>
> Uh, I tought this was a joke...
>
> Why should we move tcpwrapper to the base system ? I can't see an
> advantage here.
So that we can say, FreeBSD is secure automatically. I don't know if
you noticed Jordans letter to a WWW online computer magazine to their
review of FreeBSD vs. SCO, NT and others. They for example tested every
system "as is". So I think it's a big win for security and marketing,
if we can say, that our system is secured by default !
> tcpd is an easy "plug in" and one of it's "advantages" is that you just
> have to change inetd.conf - no compile-time changes.
Yes, agreed. And in addition to that nice feature we discuss, to
strengthen security of the base system with that fine tool ;-)
> It's harder to configure hosts.{allow,deny} then changing inetd.conf.
Hmm, where's the logic here ? If you don't have a hosts.allow and
hosts.deny, then mothing happens ... so no extra work needed ;-)
But if you need it, then you are able to fine tune the system and
the knobs are already _there_ ;-)
> Aeh, that's why we have the ports tree. If something is really optional
> and you just have to change a config file why should it be moved to
> the base system ?
Maybe to include some extra functionality per default with respect
to internet security ?!
> > Negotiable. I kinda like the idea if two files - inetd.conf.dist and
> > inetd.conf.wrap.dist, and some install option to choose one.
>
> We don't need to have tcpwrapper in the base system to provide an
> example config file.
No, the question was, how to invoke or disable tcp_wrappers with
simple knobs in rc.conf or something else ...
--
Andreas Klemm | klemm.gtn.com - powered by
Symmetric MultiProcessor FreeBSD
http://www.freebsd.org/~fsmp/SMP/SMP.html
http://www.freebsd.org/~fsmp/SMP/benches.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970911075604.13003>