On Mon, Jan 19, 2004 at 11:20:11AM +0100, Josselin Mouette wrote:
> Le lun 19/01/2004 à 07:47, Marc Wilson a écrit :
> > Gee... as opposed to just configuring /etc/hosts.deny properly, something
> > I've never been able to figure out why portmap doesn't do in the first
> > place.
>
> That wouldn't change anything to the issue. If portmap configures
> /etc/hosts.deny to deny access from all non-local IPs, packages
> requiring portmap to listen to remote addresses would have to modify
> hosts.deny as well, so a similar mechanism would have to be used, with
> the only difference that the system would be more fragile.
You mean they'd have to modify hosts.allow, right?
The portmap package has no business modifying hosts.deny or hosts.allow.
Neither does fam. Neither does ANYTHING else. *I* control who and what
has access.
If you want to go for maximum protection, go to the source. The tcpd
package should be configuring for no access by *default* for packages that
make use of it. That includes ssh, that includes portmap, that includes
anything else that uses it.
Anything else is "fragile".
--
Marc Wilson | Have you seen the latest Japanese camera? Apparently
msw@cox.net | it is so fast it can photograph an American with
| his mouth shut!
Attachment:
signature.asc
Description: Digital signature