From owner-freebsd-audit Fri Mar 24 5:42:28 2000 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6792F37B633 for ; Fri, 24 Mar 2000 05:42:23 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id IAA38286; Fri, 24 Mar 2000 08:42:10 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Fri, 24 Mar 2000 08:42:10 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Bob Johnson Cc: Warner Losh , audit@freebsd.org Subject: Re: Portmapper enabled, IPv6 circumvents FW In-Reply-To: <3.0.6.32.20000324003034.009ad530@rio.atlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Another possibility would be a configuration choice during the install that let you specify the ``openness'' of the initial inetd.conf. This could be easily hacked up in the form of ``enable network services by default?'' and just having two, or having sysinstall provide an actual management interface. And especially on the IPv6 side, ``Do you wish to enable IPv6 network services?'' where at least at first, there will not be many consumers. Presumably each of these choices, unlike todays install selections, would come with a description of what the choice means. And without too many double negatives. :-) One reason that you might find objection to actually disabling telnet and so on by default is a loss of functionality in the case of serial installs, although that can be put down to a failure of sysinstall to initially configure /etc/ttys correctly. Robert On Fri, 24 Mar 2000, Bob Johnson wrote: > Please, please, please do it! > > It's bad enough that I have to keep begging people on our networks > to turn off all network services as soon as they do an install. > > If Red Hat starts disabling them by default before FreeBSD does, > I won't even be able to say "you should have used FreeBSD". > > -- Bob > > At 12:37 PM 03/23/2000 -0700, you wrote: > >In message Brad Knowles writes: > >: I would like very much to see these patches get committed, so > >: that the box tends to be secure by default out-of-the-box, and then > >: you turn on the additional features you want/need. > > > >Eivind submitted them a while ago. I'll have to dust it off and see > >about committing it. > > > >Warner > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-audit" in the body of the message > > > > > > +-------------------------------------------------------- > | Bob Johnson > | bobj@atlantic.net > +-------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-audit" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message