From owner-freebsd-ports  Wed Sep 10 09:29:57 1997
Return-Path: <owner-freebsd-ports>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA11572
          for ports-outgoing; Wed, 10 Sep 1997 09:29:57 -0700 (PDT)
Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA11549
          for <ports@FreeBSD.ORG>; Wed, 10 Sep 1997 09:29:41 -0700 (PDT)
Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132])
	by gratis.grondar.za (8.8.7/8.8.7) with ESMTP id SAA29208;
	Wed, 10 Sep 1997 18:29:06 +0200 (SAT)
Received: from greenpeace.grondar.za (localhost [127.0.0.1])
	by greenpeace.grondar.za (8.8.7/8.8.7) with ESMTP id SAA00382;
	Wed, 10 Sep 1997 18:31:11 +0200 (SAT)
Message-Id: <199709101631.SAA00382@greenpeace.grondar.za>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Andreas Klemm <andreas@klemm.gtn.com>
cc: Mark Murray <mark@grondar.za>, ports@FreeBSD.ORG
Subject: Re: Major bogon in tcp_wrappers port. 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 10 Sep 1997 18:31:11 +0200
From: Mark Murray <mark@grondar.za>
Sender: owner-freebsd-ports@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Andreas Klemm wrote:

[ MarkM suggesting we bring tcp_wrappers into the "mainstream"]

> You're right, I'd vote for it as well.
> On the other hand ... how much overhead does it bring ?

Not much. Physically, the files are not big. They do not take
much time to compile. They _do_ add some latency to your daemon's 
startup, except in the case where the app is linked against libwrap.

(Sendmail has such hooks, so does ssh (and I believe cvsupd as well?))

> Every time when an inetd related service is being started,
> the (of course small) tcpd program has to be executed.

Sure. You can configure your system suchg that the wrappers are not 
used, if you prefer.

> Does it have to read and interpret sample /etc/hosts.allow
> and /etc/hosts.deny files, that might/should/could be created 
> in /etc ? 

If not present, these default to "allow everything".

> And ... which inetd related server programs do we want to
> protect, only some or all ?

Negotiable. I kinda like the idea if two files - inetd.conf.dist and 
inetd.conf.wrap.dist, and some install option to choose one.

M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org