Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Fri, Apr 20, 2001 at 08:26:06AM +1000, Daniel Stone wrote:
> If you want REAL security, stop bullshitting yourself and get a firewall,
> preferably stateful (btw, netfilter is stateful, I have never bought a FW-1
> license in my life, and probably never will). What I was saying was this:
A firewall is not the end-all, be-all of security. Those who think it is are
setting themselves up for problems.
> * ALL: PARANOID is a sane default.
Your opinion. I still haven't seen anything in this thread (that hasn't been
refuted) that suggest that PARANOID checks provide any more security than
leaving a box wide open. Yet, there is plenty of proof that they cause
problems (if you don't believe me, do a GOOGLE search for "tcpd paranoid
> It provides extra security as a layer. If you just do IP-based access to
> your box (i.e. only certain IPs allowed), you don't NEED this. But think
> about the other 99% of people. Like myself. It's a good extra layer. I like
> this extra layer.
> ALL: PARANOID clearly doesn't apply to these systems where ONLY certain
> *explicitly specified* IPs can access it. So stop dragging them into the
> argument and get back to making real points.
You're the one changing the subject, not me.
Every system should be relying on "*explicitly specified* IP's", whether the
IP specified is 0.0.0.0/0 or 127.0.0.1. Not bullshit "security" like
PARANOID. If you could swallow your pride for a second, stop saying things
like "REAL security", and think about what this check actually does, you would
see exactly how silly it is.
> Daniel Stone
> Linux Kernel Developer
Frankly, this scares me.
Adam McKenna <firstname.lastname@example.org> <email@example.com>