Date: Thu, 24 Aug 2000 13:59:44 -0700 From: Brooks Davis <brooks@one-eyed-alien.net> To: "Gooderum, Mark" <mark@JUMPWEB.COM> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: nuking "unsafe" protocols (was Re: Upcoming rc.conf changes n ot loading certain currently loaded daemons) Message-ID: <20000824135944.B12283@Odin.AC.HMC.Edu> In-Reply-To: <251BF6012D6B4A49A4109B1C3289A7B5BB78@purgatory.jumpweb.com>; from mark@JUMPWEB.COM on Thu, Aug 24, 2000 at 03:44:08PM -0500 References: <251BF6012D6B4A49A4109B1C3289A7B5BB78@purgatory.jumpweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 24, 2000 at 03:44:08PM -0500, Gooderum, Mark wrote: > > Interoperability is critical and although ssh has found its way into > FreeBSD 4.1 as standard, it certainly isn't standard on Windows or > most other Unixen and other OSes. Unless somebody wants to bite the > bullet (and I for one am _not_ interested in trying) and write a > "lockdown_freebsd" script that enables ipfw or ipfilter with some > reasonable defaults, turns off various insecure services (including > NFS...more implicit trust and/or cleartext PW's via pcnfsd) then just > blindly disabling rsh/telnet does little to really impove the security > of the box and does a lot to increase the confusion of the user and > increase the amount of manual configuration the _average_ user needs > to make the box function in the _average_ environment. This change DOES NOT DISABLE INETD, PORTMAP, OR SENDMAIL ON NEW INSTALLS! What it does do is set the default in /etc/defaults/rc.conf to off and instruct sysinstall to turn them on in /etc/rc.conf. This means the fact that they are on is clear visiable in /etc/rc.conf instead of hidden in /etc/defaults/rc.conf. The idea is that you should be able to look in /etc/rc.conf and tell which services are enabled. Sysinstall will continue to enable many of them by default to make your life easier. I seriously doubt this change will be MFC'd and it only bites people to lame to follow the lists they have been repeatily told to follow. Heck, it's even in UPDATING. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000824135944.B12283>