Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 03:33:23AM +0200, Eloi Granado wrote:
> On Thursday 19 April 2001 01:57, Nathan Dabney wrote:
> > For those of you who do not like PARANOID, what would you suggest without
> > reducing the protection? Does ALL: ALL with some commentary explaining
> > where the user can go for more information sound good?
>
> Well, and some blinking message lines at boot time warning the new user that
> his machine is blocking all possible networking, absolutely ISOLATED? What
> about to remove all networking support by default? So the user will have to
> learn ALL networking risks before connecting/accepting connections from
> anywhere (oh yes, he will learn a lot in the way).
not all services are tcpwrapped. as a matter of fact, exactly TWO types
of services are tcpwrapped:
* those spawned from inetd, that explicitly have tcpd in their
invocation
* those compiled with libwrap
not all services suffer as such. so to say a system with ALL:ALL in
hosts.deny (i hate that file. it should go away. replaced with
echo ALL:ALL:DENY >> /etc/hosts.allow) disallows ALL networking is
false. the suggestion to have localhost and localnet in hosts.allow, and
all:all:deny in hosts.allow is a very good one.
SECURE by default. open up by a positive action.
have we not learned the mistakes of red hat? are we doomed to repeat
them? keep it CLOSED. force the user to make a conscious decision to
open up their box.
> Be serious, what type of system do we want? One both for users and for
> servers, or a openbsd alike firewalling (user unfriendly) system?
i cannot speak for OpenBSD, as i have never used it (i can speak for
BSDi and their broken tar, however).
what type of system do you want: susceptible for the next worm, or prepared to
defend against the future onslaughts?
i want a system for users. this means keeping things off. users do not
need lots of services running[1]. if they want to run services, then they
are sysadmins, and mus be ready for that step. to do otherwise is to
invite diaster, and be a disservice to the people we are trying to
serve.
-john
[1] do they need any? does an MTA have to listen to an IP other than
loopback? really?
Reply to: