Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 08:47:42PM -0700, John H. Robinson, IV wrote:
> On Thu, Apr 19, 2001 at 03:33:23AM +0200, Eloi Granado wrote:
> > On Thursday 19 April 2001 01:57, Nathan Dabney wrote:
> > > For those of you who do not like PARANOID, what would you suggest without
> > > reducing the protection? Does ALL: ALL with some commentary explaining
> > > where the user can go for more information sound good?
> >
> > Well, and some blinking message lines at boot time warning the new user that
> > his machine is blocking all possible networking, absolutely ISOLATED? What
> > about to remove all networking support by default? So the user will have to
> > learn ALL networking risks before connecting/accepting connections from
> > anywhere (oh yes, he will learn a lot in the way).
>
> not all services are tcpwrapped. as a matter of fact, exactly TWO types
> of services are tcpwrapped:
> * those spawned from inetd, that explicitly have tcpd in their
> invocation
> * those compiled with libwrap
>
> not all services suffer as such. so to say a system with ALL:ALL in
> hosts.deny (i hate that file. it should go away. replaced with
> echo ALL:ALL:DENY >> /etc/hosts.allow) disallows ALL networking is
> false. the suggestion to have localhost and localnet in hosts.allow, and
> all:all:deny in hosts.allow is a very good one.
I disagree.
We cannot expect the user to want to accept connections from the local net. I
do agree however that localhost needs to be there ;)
>
> SECURE by default. open up by a positive action.
Exactly. I completely agree with this statement.
> have we not learned the mistakes of red hat? are we doomed to repeat
> them? keep it CLOSED. force the user to make a conscious decision to
> open up their box.
>
> > Be serious, what type of system do we want? One both for users and for
> > servers, or a openbsd alike firewalling (user unfriendly) system?
>
> i cannot speak for OpenBSD, as i have never used it (i can speak for
> BSDi and their broken tar, however).
>
> what type of system do you want: susceptible for the next worm, or prepared to
> defend against the future onslaughts?
>
> i want a system for users. this means keeping things off. users do not
> need lots of services running[1]. if they want to run services, then they
> are sysadmins, and mus be ready for that step. to do otherwise is to
> invite diaster, and be a disservice to the people we are trying to
> serve.
>
> -john
>
> [1] do they need any? does an MTA have to listen to an IP other than
> loopback? really?
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: