[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 03:43:44PM -0700, Adam McKenna wrote:
> On Fri, Apr 20, 2001 at 08:26:06AM +1000, Daniel Stone wrote:
> > If you want REAL security, stop bullshitting yourself and get a firewall,
> > preferably stateful (btw, netfilter is stateful, I have never bought a FW-1
> > license in my life, and probably never will). What I was saying was this:
> 
> A firewall is not the end-all, be-all of security.  Those who think it is are
> setting themselves up for problems.

Which is why I don't run any more services than I need to anyway, and keep
up-to-date on versions. Did I say it was the be-all and end-all of security?
 
> > * ALL: PARANOID is a sane default.
> 
> Your opinion.  I still haven't seen anything in this thread (that hasn't been
> refuted) that suggest that PARANOID checks provide any more security than
> leaving a box wide open.  Yet, there is plenty of proof that they cause
> problems (if you don't believe me, do a GOOGLE search for "tcpd paranoid
> problem")

A little more. Enough.

> > It provides extra security as a layer. If you just do IP-based access to
> > your box (i.e. only certain IPs allowed), you don't NEED this. But think
> > about the other 99% of people. Like myself. It's a good extra layer. I like
> > this extra layer.
> > 
> > ALL: PARANOID clearly doesn't apply to these systems where ONLY certain
> > *explicitly specified* IPs can access it. So stop dragging them into the
> > argument and get back to making real points.
> 
> You're the one changing the subject, not me.

I never mentioned IP-based-filtered systems until you dragged them in.

> Every system should be relying on "*explicitly specified* IP's", whether the
> IP specified is 0.0.0.0/0 or 127.0.0.1.  Not bullshit "security" like 
> PARANOID.  If you could swallow your pride for a second, stop saying things
> like "REAL security", and think about what this check actually does, you would
> see exactly how silly it is.

Look, in the end, this argument comes down to preference, we've seen
convincing arguments in both directions.

Therefore, this argument is about as pointless as me filing bugs for
wmaker's removal because Sawfish rocks. Likewise vim/emacs.

> > -- 
> > Daniel Stone
> > Linux Kernel Developer
> 
> Frankly, this scares me.

Oh, go sit in the corner with James Troup.

-- 
Daniel Stone
Scary, Apparently Fake, Linux Kernel Developer, When He Has Time, Which Is
Extremely Scarce These Days
daniel@kabuki.openfridge.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------
Reply to: