[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 03:33:23AM +0200, Eloi Granado wrote:
> On Thursday 19 April 2001 01:57, Nathan Dabney wrote:
> > For those of you who do not like PARANOID, what would you suggest without
> > reducing the protection?  Does ALL: ALL with some commentary explaining
> > where the user can go for more information sound good?
> Well, and some blinking message lines at boot time warning the new user that 
> his machine is blocking all possible networking, absolutely ISOLATED? What 
> about to remove all networking support by default? So the user will have to 
> learn ALL networking risks before connecting/accepting connections from 
> anywhere (oh yes, he will learn a lot in the way).

not all services are tcpwrapped.  as a matter of fact, exactly TWO types
of services are tcpwrapped:
      * those spawned from inetd, that explicitly have tcpd in their
      * those compiled with libwrap

not all services suffer as such. so to say a system with ALL:ALL in
hosts.deny (i hate that file. it should go away. replaced with
echo ALL:ALL:DENY >> /etc/hosts.allow) disallows ALL networking is
false. the suggestion to have localhost and localnet in hosts.allow, and
all:all:deny in hosts.allow is a very good one.

SECURE by default. open up by a positive action.

have we not learned the mistakes of red hat? are we doomed to repeat
them? keep it CLOSED. force the user to make a conscious decision to
open up their box.

> Be serious, what type of system do we want? One both for users and for 
> servers, or a openbsd alike firewalling (user unfriendly) system?

i cannot speak for OpenBSD, as i have never used it (i can speak for
BSDi and their broken tar, however).

what type of system do you want: susceptible for the next worm, or prepared to
defend against the future onslaughts?

i want a system for users. this means keeping things off. users do not
need lots of services running[1]. if they want to run services, then they
are sysadmins, and mus be ready for that step. to do otherwise is to
invite diaster, and be a disservice to the people we are trying to


[1] do they need any? does an MTA have to listen to an IP other than
    loopback? really?

Reply to: