From owner-freebsd-bugs@FreeBSD.ORG Sun May 27 13:10:12 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6153316A469 for ; Sun, 27 May 2007 13:10:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3A3BC13C458 for ; Sun, 27 May 2007 13:10:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4RDABnE005661 for ; Sun, 27 May 2007 13:10:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4RDABXi005660; Sun, 27 May 2007 13:10:11 GMT (envelope-from gnats) Date: Sun, 27 May 2007 13:10:11 GMT Message-Id: <200705271310.l4RDABXi005660@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Andy Kosela" Cc: Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andy Kosela List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2007 13:10:12 -0000 The following reply was made to PR conf/112441; it has been noted by GNATS. From: "Andy Kosela" To: "Giorgos Keramidas" Cc: bug-followup@freebsd.org Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow Date: Sun, 27 May 2007 15:03:58 +0200 On 5/26/07, Giorgos Keramidas wrote: > On 2007-05-05 13:12, Andy Kosela wrote: > > The following lines in /etc/hosts.allow are deprecated and > > should be removed. From my understanding of how tcpd is built, > > it is built by default with -DPARANOID option turned on so all > > requests from DNS mismatched clients are dropped BEFORE looking > > at the access tables. > > > > /etc/hosts.allow: > > # Protect against simple DNS spoofing attacks by checking that the > > # forward and reverse records for the remote host match. If a mismatch > > # occurs, access is denied, and any positive ident response within > > # 20 seconds is logged. No protection is afforded against DNS poisoning, > > # IP spoofing or more complicated attacks. Hosts with no reverse DNS > > # pass this rule. > > ALL : PARANOID : RFC931 20 : deny > > Hi Andy, > > I don't see -DPARANOID in our src/lib/libwrap Makefile. > Are you sure it is the default mode of operation? > > - Giorgos > > Hi Giorgos, from src/contrib/tcp_wrappers/Makefile: PARANOID= -DPARANOID but you are right, i didn't notice FreeBSD tcpd is built using src/lib/libwrap. So if i understand correctly DNS mismatched clients are permitted by default FreeBSD installation according to the first entry in /etc/hosts.allow: # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow Do you think this is secure enough? Personally i think that somebody who tries to spoof DNS is potentially an attacker and should be blocked. I see two options here: either add -DPARANOID option as default (it is logically correct to block all DNS mismatched clients, and it is the default operation of contrib tcpd code. or put ALL : PARANOID : RFC931 20 : deny before ALL : ALL : allow in order to help secure the default FreeBSD installations. best regards, Andy Kosela Pythagoras Foundation