From owner-freebsd-stable Thu Aug 24 14: 0: 7 2000 Delivered-To: freebsd-stable@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 66F9937B424 for ; Thu, 24 Aug 2000 14:00:03 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id e7OKxin12979; Thu, 24 Aug 2000 13:59:44 -0700 Date: Thu, 24 Aug 2000 13:59:44 -0700 From: Brooks Davis To: "Gooderum, Mark" Cc: freebsd-stable@FreeBSD.ORG Subject: Re: nuking "unsafe" protocols (was Re: Upcoming rc.conf changes n ot loading certain currently loaded daemons) Message-ID: <20000824135944.B12283@Odin.AC.HMC.Edu> References: <251BF6012D6B4A49A4109B1C3289A7B5BB78@purgatory.jumpweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <251BF6012D6B4A49A4109B1C3289A7B5BB78@purgatory.jumpweb.com>; from mark@JUMPWEB.COM on Thu, Aug 24, 2000 at 03:44:08PM -0500 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Aug 24, 2000 at 03:44:08PM -0500, Gooderum, Mark wrote: > > Interoperability is critical and although ssh has found its way into > FreeBSD 4.1 as standard, it certainly isn't standard on Windows or > most other Unixen and other OSes. Unless somebody wants to bite the > bullet (and I for one am _not_ interested in trying) and write a > "lockdown_freebsd" script that enables ipfw or ipfilter with some > reasonable defaults, turns off various insecure services (including > NFS...more implicit trust and/or cleartext PW's via pcnfsd) then just > blindly disabling rsh/telnet does little to really impove the security > of the box and does a lot to increase the confusion of the user and > increase the amount of manual configuration the _average_ user needs > to make the box function in the _average_ environment. This change DOES NOT DISABLE INETD, PORTMAP, OR SENDMAIL ON NEW INSTALLS! What it does do is set the default in /etc/defaults/rc.conf to off and instruct sysinstall to turn them on in /etc/rc.conf. This means the fact that they are on is clear visiable in /etc/rc.conf instead of hidden in /etc/defaults/rc.conf. The idea is that you should be able to look in /etc/rc.conf and tell which services are enabled. Sysinstall will continue to enable many of them by default to make your life easier. I seriously doubt this change will be MFC'd and it only bites people to lame to follow the lists they have been repeatily told to follow. Heck, it's even in UPDATING. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message