[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Fri, Apr 20, 2001 at 08:26:06AM +1000, Daniel Stone wrote:
> If you want REAL security, stop bullshitting yourself and get a firewall,
> preferably stateful (btw, netfilter is stateful, I have never bought a FW-1
> license in my life, and probably never will). What I was saying was this:

A firewall is not the end-all, be-all of security.  Those who think it is are
setting themselves up for problems.

> * ALL: PARANOID is a sane default.

Your opinion.  I still haven't seen anything in this thread (that hasn't been
refuted) that suggest that PARANOID checks provide any more security than
leaving a box wide open.  Yet, there is plenty of proof that they cause
problems (if you don't believe me, do a GOOGLE search for "tcpd paranoid

> It provides extra security as a layer. If you just do IP-based access to
> your box (i.e. only certain IPs allowed), you don't NEED this. But think
> about the other 99% of people. Like myself. It's a good extra layer. I like
> this extra layer.
> ALL: PARANOID clearly doesn't apply to these systems where ONLY certain
> *explicitly specified* IPs can access it. So stop dragging them into the
> argument and get back to making real points.

You're the one changing the subject, not me.

Every system should be relying on "*explicitly specified* IP's", whether the
IP specified is or  Not bullshit "security" like 
PARANOID.  If you could swallow your pride for a second, stop saying things
like "REAL security", and think about what this check actually does, you would
see exactly how silly it is.

> -- 
> Daniel Stone
> Linux Kernel Developer

Frankly, this scares me.


Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to: