Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Sep 1997 10:58:42 +0200 (CEST)
From:      torstenb@onizuka.tb.9715.org (Torsten Blum)
To:        andreas@klemm.gtn.com (Andreas Klemm)
Cc:        mark@grondar.za, ports@freebsd.org, hackers@freebsd.org
Subject:   Re: Major bogon in tcp_wrappers port.
Message-ID:  <m0x9RYo-0006haC@onizuka.tb.9715.org>
In-Reply-To: <19970911075604.13003@klemm.gtn.com> from Andreas Klemm at "Sep 11, 97 07:56:04 am"

next in thread | previous in thread | raw e-mail | index | archive | help
[Cc to hackers]

Andreas Klemm wrote:

> > > (Sendmail has such hooks, so does ssh (and I believe cvsupd as well?))
> > 
> > Uh, I tought this was a joke... 
> > 
> > Why should we move tcpwrapper to the base system ? I can't see an
> > advantage here.
> 
> So that we can say, FreeBSD is secure automatically.

That's bullshit. FreeBSD will not be more secure if we add tcp-wrapper to
the base system. You don't get more security just by installing some kind
of software, you have to configure the software.
Without hosts.{allow,deny} tcpd will only log connections - and that's already
supported by our inetd.

> I don't know if
> you noticed Jordans letter to a WWW online computer magazine to their
> review of FreeBSD vs. SCO, NT and others. They for example tested every
> system "as is". So I think it's a big win for security and marketing,
> if we can say, that our system is secured by default !

Andreas, nothing is secure by default. 

> > tcpd is an easy "plug in" and one of it's "advantages" is that you just
> > have to change inetd.conf - no compile-time changes.
> 
> Yes, agreed. And in addition to that nice feature we discuss, to
> strengthen security of the base system with that fine tool ;-)

Everybody has different needs for security. There are more than enough
users who'll never need tcpwrapper because
 - they only have a small set of "services" running on these boxes
   (for example www server, dns, sendmail etc)
 - we have users who really don't care about security (sad but true).
   They never care to configure hosts.{allow,deny} or even check their
   logfiles
 - Machines without connections "external" connection
and many many more

> > It's harder to configure hosts.{allow,deny} then changing inetd.conf.
> 
> Hmm, where's the logic here ? If you don't have a hosts.allow and
> hosts.deny, then mothing happens ... so no extra work needed ;-)

Bloat. We really don't need tcp wrapper in the base system. If you want
a default installation including tcpwrapper, convince Jordan to add a
"knob" in sysinstall (install the tcpwrapper package, change inetd.conf,
configure hosts.{deny,allow} etc).

> But if you need it, then you are able to fine tune the system and
> the knobs are already _there_ ;-)

As I said, the only thing you have to do (beside configuring hosts.allow/deny)
is to add the package.

> > Aeh, that's why we have the ports tree. If something is really optional
> > and you just have to change a config file why should it be moved to
> > the base system ?
> 
> Maybe to include some extra functionality per default with respect
> to internet security ?!

Extra functionality that, without further configuration, gives a false
sense of security ?
Extra functionality that a lot of our users don't need or don't care about?

> > > Negotiable. I kinda like the idea if two files - inetd.conf.dist and 
> > > inetd.conf.wrap.dist, and some install option to choose one.
> > 
> > We don't need to have tcpwrapper in the base system to provide an
> > example config file.
> 
> No, the question was, how to invoke or disable tcp_wrappers with
> simple knobs in rc.conf or something else ...

Andreas, have you _ever_ configured tcpd ? tcpd is not a standalone daemon.
To activate it, you have to modify inetd.conf. 

Don't get me wrong, I'm all for a "more" secure system, but you don't get
this out of the box. You _always_ have to configure something.
If a tool highly depends on the system and needs a rebuild of several tools
to take advantage of it, I'll probably suggest to add it to the base system.
But tcp wrapper has been written to fit into the system without
rebuilding system software, heck, for many systems you don't even have the
sources to do that.

I voted against including pidentd in the base system and I do the same
in this case.

 -tb



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0x9RYo-0006haC>