Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Oct 1998 03:07:41 +0200
From:      Neil Blakey-Milner <nbm@rucus.ru.ac.za>
To:        Andrew Bromage <bromage@queens.unimelb.edu.au>, chad@dcfinc.com, stable@FreeBSD.ORG
Subject:   Re: firewalling
Message-ID:  <19981012030740.A25211@rucus.ru.ac.za>
In-Reply-To: <19981010145451.34491@queens.unimelb.edu.au>; from Andrew Bromage on Sat, Oct 10, 1998 at 02:54:51PM %2B1000
References:  <199810092329.QAA28466@freebie.dcfinc.com> <19981010145451.34491@queens.unimelb.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat 1998-10-10 (14:54), Andrew Bromage wrote:
> On Fri, Oct 09, 1998 at 04:29:55PM -0700, Chad R. Larson wrote:
> > Does anyone have an opinion (now there's a stupid question) about IP
> > firewalling vs TCP wrappers to protect a server exposed to the great
> > unwashed Internet?
> 
> Just as a matter of interest, is there a reason why you don't want to
> use both?

I must agree here.

Not every service you run runs from inetd, which is the easiest thing to
transfer to TCP wrappers.

Things like web servers, ssh, irc servers, named, SQL databases, smbd, and
so forth aren't necessarily easy to convert to TCP wrappers.

And if (heaven, or whichever paradise-like quasi-elemental plane you believe
in, forbid) there is ever a security hole in TCP wrappers, inetd, sshd, smbd,
or any other service that runs as root (and some that don't), you're going to
wish you'd used IP firewalling so that the people on the outside don't even
get to see what you're running, let alone exploit it. (bind being a recent
example)

Of course, with TCP wrappers you can easily put up those cute banners to say
that access has been denied, contact the systems administrator on pain of
death if you think you deserve access. :)

Anyway, you _did_ ask for opinions :)

Neil
-- 
Neil Blakey-Milner
nbm@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981012030740.A25211>