Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

To: debian-devel@lists.debian.org
Subject: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
From: Adam McKenna <adam@debian.org>
Date: Thu, 19 Apr 2001 15:43:44 -0700
Message-id: <[🔎] 20010419154344.F7546@flounder.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010420082606.D2010@piro.kabuki.openfridge.net>; from daniel@kabuki.openfridge.net on Fri, Apr 20, 2001 at 08:26:06AM +1000
References: <[🔎] 20010418171100.B8620@omega.resa.es> <[🔎] 20010418172549.A17770@lin-gen.com> <[🔎] 20010418232523.J12115@flounder.net> <[🔎] 20010419072809.M24502@justice.loyola.edu> <[🔎] 20010419235128.C31779@piro.kabuki.openfridge.net> <[🔎] 20010419103226.T12115@flounder.net> <[🔎] 20010420082606.D2010@piro.kabuki.openfridge.net>

On Fri, Apr 20, 2001 at 08:26:06AM +1000, Daniel Stone wrote:
> If you want REAL security, stop bullshitting yourself and get a firewall,
> preferably stateful (btw, netfilter is stateful, I have never bought a FW-1
> license in my life, and probably never will). What I was saying was this:

A firewall is not the end-all, be-all of security.  Those who think it is are
setting themselves up for problems.

> * ALL: PARANOID is a sane default.

Your opinion.  I still haven't seen anything in this thread (that hasn't been
refuted) that suggest that PARANOID checks provide any more security than
leaving a box wide open.  Yet, there is plenty of proof that they cause
problems (if you don't believe me, do a GOOGLE search for "tcpd paranoid
problem")

> It provides extra security as a layer. If you just do IP-based access to
> your box (i.e. only certain IPs allowed), you don't NEED this. But think
> about the other 99% of people. Like myself. It's a good extra layer. I like
> this extra layer.
> 
> ALL: PARANOID clearly doesn't apply to these systems where ONLY certain
> *explicitly specified* IPs can access it. So stop dragging them into the
> argument and get back to making real points.

You're the one changing the subject, not me.

Every system should be relying on "*explicitly specified* IP's", whether the
IP specified is 0.0.0.0/0 or 127.0.0.1.  Not bullshit "security" like 
PARANOID.  If you could swallow your pride for a second, stop saying things
like "REAL security", and think about what this check actually does, you would
see exactly how silly it is.

> -- 
> Daniel Stone
> Linux Kernel Developer

Frankly, this scares me.

--Adam

-- 
Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to:

Follow-Ups:
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Aaron Lehmann <aaronl@vitelus.com>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Daniel Stone <daniel@kabuki.openfridge.net>

References:
- ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: PiotR <piotr@omega.resa.es>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Robert van der Meulen <rvdm@cistron.nl>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Adam McKenna <adam@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Michael Stone <mstone@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Daniel Stone <daniel@kabuki.openfridge.net>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Adam McKenna <adam@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Daniel Stone <daniel@kabuki.openfridge.net>

Prev by Date: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by Date: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Previous by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Index(es):
- Date
- Thread