[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 11:51:28PM +1000, Daniel Stone wrote:
> If you want security, you run a stateful firewall (think: iptables) with -P
> DROP, only a few explicit ports let through, only to the lucky few, no
> telnet, etc. But does this *look* like Trustix? Nope. Not DeadRat, either,
> but not Trustix. Debian has end-users, a lot of whom won't bother to set up
> firewalls, because it's only a home box, and we can't force them to. But
> setting up sane tcpwrappers defaults will go a LONG WAY. (Also see what I've
> written below).

No, sorry.  Every box connected to the internet does not need a stateful
firewall in front of it.  This is an idea that has been propagated by the
clueless "security admin" world in order to sell more Checkpoint licenses.

A web server box running Apache and SSH (only) can be adequately protected by 
tcp wrappers if they're configured correctly.  (IE, using IP-based access 

As far as "sane" defaults, PARANOID is not one.  It provides no extra


Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to: