From owner-freebsd-security  Wed Aug 15  4:48:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from kawoserv.kawo2.rwth-aachen.de (kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5146537B406; Wed, 15 Aug 2001 04:48:53 -0700 (PDT)
	(envelope-from alex@big.endian.de)
Received: from zerogravity.kawo2.rwth-aachen.de (zerogravity.kawo2.rwth-aachen.de [134.130.181.28])
	by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id NAA17931;
	Wed, 15 Aug 2001 13:48:52 +0200
Received: by zerogravity.kawo2.rwth-aachen.de (Postfix, from userid 1001)
	id ACD7414E50; Wed, 15 Aug 2001 13:48:52 +0200 (CEST)
Date: Wed, 15 Aug 2001 13:48:52 +0200
From: Alexander Langer <alex@big.endian.de>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: security@FreeBSD.org
Subject: Re: cvs commit: src/etc inetd.conf
Message-ID: <20010815134852.B16184@zerogravity.kawo2.rwth-aachen.d>
References: <20010814213312.C22531@zerogravity.kawo2.rwth-aachen.d> <Pine.NEB.3.96L.1010814194754.72605A-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.3.96L.1010814194754.72605A-100000@fledge.watson.org>; from rwatson@FreeBSD.org on Tue, Aug 14, 2001 at 07:50:56PM -0400
X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8  A8 E3 BA F3 4E 60 7D 7F
X-PGP-at: finger alex@big.endian.de
X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Thus spake Robert Watson (rwatson@FreeBSD.org):

> processing out of cron, not bind sockets, etc.  I don't know much about
> that, from an operational perspective, and would be interested in hearing
> more about the considerations here.  For example, I do know that a number
> of system functions generate e-mail (scheduled events, vi recovery, etc)
> and that needs to be handled properly.

We can disable binding to port 25 and local mail delivery will still
work.  I also like disabling all other network services by default.
One of OpenBSD's argument is, that you then know what services you've
had enabled, and you then know, what to take care about.  If you
missed a SA about some service you haven't enabled either, who cares?

Alex

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message