From owner-freebsd-ports  Wed Aug  6 09:56:39 1997
Return-Path: <owner-freebsd-ports>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id JAA06876
          for ports-outgoing; Wed, 6 Aug 1997 09:56:39 -0700 (PDT)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA06864
          for <ports@FreeBSD.ORG>; Wed, 6 Aug 1997 09:56:36 -0700 (PDT)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id KAA14559;
	Wed, 6 Aug 1997 10:56:30 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id GAA10538; Wed, 6 Aug 1997 06:54:27 -0600 (MDT)
Date: Wed, 6 Aug 1997 06:54:27 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
To: John Fieber <jfieber@indiana.edu>
cc: ports@FreeBSD.ORG
Subject: Re: Major bogon in tcp_wrappers port.
In-Reply-To: <Pine.BSF.3.96.970805203711.17562h-100000@fallout.campusview.indiana.edu>
Message-ID: <Pine.BSF.3.95.970806065204.9408D-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 5 Aug 1997, John Fieber wrote:

> On Tue, 5 Aug 1997, Satoshi Asami wrote:
> 
> > (Asbestos suit removed)
> > 
> >  * _*PRETTY_PLEASE*_ cant we bring this into the "core" FreeBSD?
> >  * 
> >  * With all the squeling about security, IMHO it is silly not to.
> > 
> > I have no problem with the general principle stated above.  I don't
> > know anything about the actual working of tcp_wrapper, so I'll refrain 
> > from commenting on this specific case.
> 
> I just installed it and it appears to be basically transparent
> unless you set up a hosts.allow and/or hosts.deny file---similar
> to the login.access functionality of login.  It does send more
> stuff about connections to syslog, but with the default
> syslog.conf, I don't think any of it actually gets recorded.

IMHO, it should log things to auth (not sure what the current port does)
and auth should go somewhere like /var/log/auth.  But that's neither here
nor there...

I think it is a good idea, but be cautions; it is often compiled to be
picky about mismatching DNS.  Not sure how the port is compiled, but if
you do compile it that way you need to be careful that you are either
prepared for a zillion people with broken DNS whining or to disable that
feature.  I like that feature, but I have a clue.