From owner-freebsd-security  Thu Dec 24 12:26:30 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA15610
          for freebsd-security-outgoing; Thu, 24 Dec 1998 12:26:30 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cantor.boolean.net (cantor.boolean.net [209.133.111.73])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA15605
          for <freebsd-security@FreeBSD.ORG>; Thu, 24 Dec 1998 12:26:27 -0800 (PST)
          (envelope-from Kurt@OpenLDAP.Org)
Received: from gypsy (localhost [127.0.0.1])
	by cantor.boolean.net (8.9.1/8.9.1) with SMTP id UAA82967;
	Thu, 24 Dec 1998 20:26:57 GMT
	(envelope-from Kurt@OpenLDAP.Org)
Message-Id: <3.0.5.32.19981224122830.00967800@localhost>
X-Sender: guru@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 24 Dec 1998 12:28:30 -0800
To: Matthew Dillon <dillon@apollo.backplane.com>
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Subject: Re: Do I really need inetd?
Cc: "Joseph T. Lee" <nugundam@la.best.com>, freebsd-security@FreeBSD.ORG
In-Reply-To: <199812241718.JAA27944@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If you have IP aliases/addresses, I recommend you use the -a option such
that inetd only listens on address you expect the services to be obtained
under.
	inetd -a 127.0.0.1 /etc/inetd-local.conf
	inetd -a 10.128.0.1 /etc/inetd-internal.conf
	inetd -a 192.9.200.254 /etc/inetd-external.conf

For example, we have a number of services which must be accessed from
localhost (like: pop3) while others services are excessible from a specific
external address (we have quite a few IP aliases).  We have another set of
services we only allow connections from within our firewall to make and
others which are allowed only a specific external IP address.

This approach doesn't add bars to the windows of your system.  It just
reduces the number of windows you have to watch.  Of course, it only takes
one window (a good cracker can get through any window) ...  you still
need 'bars'... like tcpd and ipfw (even on inetd bound to localhost).

Kurt

 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message