[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default



On Thu, Apr 19, 2001 at 11:51:28PM +1000, Daniel Stone wrote:
> On Thu, Apr 19, 2001 at 07:28:09AM -0400, Michael Stone wrote:
> > On Wed, Apr 18, 2001 at 11:25:23PM -0700, Adam McKenna wrote:
> > > I think that the main point people are missing here is that in order for 
> > > PARANOID to be anything other than an annoyance, it MUST co-exist with
> > > hostname-based rules.
> > 
> > *YES*, this is correct! All those making silly statements about the
> > security added by PARANOID should read the above. Study it carefully.
> > Think about what security *used to be* at the time tcp wrappers were
> > invented. [...] Suggesting that dns records should
> > be used as a basis for such checks is dangerously misleading. 
> 
> If you think that tcpwrappers provides ANY sort of security whatsoever, you
> need to be LARTED repeatedly with the most LARTy LART any LARTer can find.
> 
> Seriously.

No, not seriously. TCP wrappers provide an additional layer of security
which is quite useful in many situations. That is not true of PARANOID
(as described previously). Thank you for adding to the technical level
of the discusion with your "LARTy LART" comments.

> > Now I'm sure some people will argue that PARANOID helps the clueless who
> > don't know that dns is trivially spoofed. But you can't have it both
> > ways--you can't argue that PARANOID is good even though less experienced
> > admins will have hard-to-diagnose problems, and that such admins need a
> > lart, and then argue that PARANOID is undeniably necessary because it
> > adds a shred of *false confidence* for clueless admins. Which of the two
> > clueless admins is being led into *dangerous* territory?
> 
> I still have this on my system, and will until something like this is valid:
> iptables -A INPUT -m dns ! --valid-both-ways -j DROP
> But, it's not, and never will be, because this goes through to the kernel,
> and DNS (especially both-way) in the kernel just sucks. So it is actually
> still a nice thingy to have around, *even if* you happen to run a pretty
> strong firewall, which I do.

If that's something you want, great--add it. But in the general case
PARANOID is far more trouble than it's worth. Nothing you wrote refuted
anything that I said above.

-- 
Mike Stone

Attachment: pgpomsgB3oEWm.pgp
Description: PGP signature


Reply to: