Date: Fri, 24 Mar 2000 12:07:50 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Robert Watson <robert+freebsd@cyrus.watson.org>, Bob Johnson <bobj@atlantic.net> Cc: Warner Losh <imp@village.org>, audit@FreeBSD.ORG Subject: Re: Portmapper enabled, IPv6 circumvents FW Message-ID: <v0421010fb5014bb01bc1@[128.113.24.47]> In-Reply-To: <Pine.NEB.3.96L.1000324083722.38246A-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1000324083722.38246A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 8:42 AM -0500 3/24/00, Robert Watson wrote:
>Another possibility would be a configuration choice during the install
>that let you specify the ``openness'' of the initial inetd.conf. This
>could be easily hacked up in the form of ``enable network services by
>default?'' and just having two, or having sysinstall provide an actual
>management interface. And especially on the IPv6 side, ``Do you wish to
>enable IPv6 network services?'' where at least at first, there will not be
>many consumers. Presumably each of these choices, unlike todays install
>selections, would come with a description of what the choice means. And
>without too many double negatives. :-)
You don't need to describe them too much. I'd have a panel of the more
useful services in sysinstall, where the user can turn them on or off.
The advice at the bottom would be "Leave these turned off unless you
know you want one on and why you want it on".
Apple does something like this with it's MacOS server install. They
have a nice GUI user-interface panel for "Network/Services", which
has radio buttons for
Remote Shell, Remote Login, Remote Printing, Remote Mach IPC,
FTP server, Telnet server, Finger Server, Mail Server.
All the other network services are turned off, and people need to
go off and edit inetd.conf if they really want to turn them on.
In different message, Warner Losh wrote:
> : Interesting, would this include disabling sendmail by default?
> : (Please say yes.)
>
> ALL NETWORK SERVICES. All of them. sendmail, cron, inetd, lpd,
> portmapper and maybe a couple others.
This reminds me...
PR bin/12308 includes an update so one can start up lpd (so local
users can print) WITHOUT having it accept jobs from remote hosts.
I think this is a good idea. I'd go so far as to say that this
should be added, and that we should start lpd with this new
option by default. Thus, you really would have an option for
enabling "remote printing" separate from "printing for local users".
I don't know what knobs freebsd has for sendmail, but perhaps
we could have a similar option there. Setup sendmail so people
can 'mail' other people (running sendmail via crontab to empty
out any pending messages), but not accept mail? I am not sure
that is a really good idea though...
---
Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu
Senior Systems Programmer or drosih@rpi.edu
Rensselaer Polytechnic Institute
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v0421010fb5014bb01bc1>