Date: Sat, 5 May 2007 13:12:27 GMT From: Andy Kosela<andy.kosela@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/112441: deprecated lines in /etc/hosts.allow Message-ID: <200705051312.l45DCRfp051001@www.freebsd.org> Resent-Message-ID: <200705051320.l45DK1NW099537@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112441 >Category: conf >Synopsis: deprecated lines in /etc/hosts.allow >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat May 05 13:20:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Andy Kosela >Release: 6.2-RELEASE >Organization: >Environment: FreeBSD plato.domain 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: The following lines in /etc/hosts.allow are deprecated and should be removed. >From my understanding of how tcpd is built, it is built by default with -DPARANOID option turned on so all requests from DNS mismatched clients are dropped BEFORE looking at the access tables. /etc/hosts.allow: # Protect against simple DNS spoofing attacks by checking that the # forward and reverse records for the remote host match. If a mismatch # occurs, access is denied, and any positive ident response within # 20 seconds is logged. No protection is afforded against DNS poisoning, # IP spoofing or more complicated attacks. Hosts with no reverse DNS # pass this rule. ALL : PARANOID : RFC931 20 : deny >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705051312.l45DCRfp051001>