Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 03:33:23AM +0200, Eloi Granado wrote:
> On Thursday 19 April 2001 01:57, Nathan Dabney wrote:
> > For those of you who do not like PARANOID, what would you suggest without
> > reducing the protection? Does ALL: ALL with some commentary explaining
> > where the user can go for more information sound good?
> Well, and some blinking message lines at boot time warning the new user that
> his machine is blocking all possible networking, absolutely ISOLATED? What
> about to remove all networking support by default? So the user will have to
> learn ALL networking risks before connecting/accepting connections from
> anywhere (oh yes, he will learn a lot in the way).
not all services are tcpwrapped. as a matter of fact, exactly TWO types
of services are tcpwrapped:
* those spawned from inetd, that explicitly have tcpd in their
* those compiled with libwrap
not all services suffer as such. so to say a system with ALL:ALL in
hosts.deny (i hate that file. it should go away. replaced with
echo ALL:ALL:DENY >> /etc/hosts.allow) disallows ALL networking is
false. the suggestion to have localhost and localnet in hosts.allow, and
all:all:deny in hosts.allow is a very good one.
SECURE by default. open up by a positive action.
have we not learned the mistakes of red hat? are we doomed to repeat
them? keep it CLOSED. force the user to make a conscious decision to
open up their box.
> Be serious, what type of system do we want? One both for users and for
> servers, or a openbsd alike firewalling (user unfriendly) system?
i cannot speak for OpenBSD, as i have never used it (i can speak for
BSDi and their broken tar, however).
what type of system do you want: susceptible for the next worm, or prepared to
defend against the future onslaughts?
i want a system for users. this means keeping things off. users do not
need lots of services running. if they want to run services, then they
are sysadmins, and mus be ready for that step. to do otherwise is to
invite diaster, and be a disservice to the people we are trying to
 do they need any? does an MTA have to listen to an IP other than