From owner-cvs-all  Thu Feb 17 11:27: 0 2000
Delivered-To: cvs-all@freebsd.org
Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3652B37B505; Thu, 17 Feb 2000 11:26:55 -0800 (PST)
	(envelope-from jkh@zippy.cdrom.com)
Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1])
	by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id LAA00758;
	Thu, 17 Feb 2000 11:27:00 -0800 (PST)
	(envelope-from jkh@zippy.cdrom.com)
To: "Daniel C. Sobral" <dcs@newsguy.com>
Cc: "Jordan K. Hubbard" <jkh@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc hosts.allow 
In-reply-to: Your message of "Fri, 18 Feb 2000 04:22:27 +0900."
             <38AC4A73.DB68EB72@newsguy.com> 
Date: Thu, 17 Feb 2000 11:27:00 -0800
Message-ID: <755.950815620@zippy.cdrom.com>
From: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

> Isn't silently dropping packets a much more efficient way of dealing
> with attacks such as port scans, which are the ones most likely to
> trigger hosts.allow rules?

Perhaps, but I fail to see what this has to do with wrapper rules
since whether the packet is "dropped" isn't up to the port listener
(tcpd) anyway - by that time, it's far too late to drop anything.

If you want to protect against port scans, learn to use ipfw or
ipfilter.

- Jordan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message