From owner-freebsd-ports Wed Sep 10 23:05:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA29640 for ports-outgoing; Wed, 10 Sep 1997 23:05:28 -0700 (PDT) Received: from news1.gtn.com (news1.gtn.com [194.77.0.15]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA29629 for ; Wed, 10 Sep 1997 23:05:18 -0700 (PDT) Received: (from uucp@localhost) by news1.gtn.com (8.8.6/8.8.6) with UUCP id IAA12310; Thu, 11 Sep 1997 08:00:20 +0200 (MET DST) Received: (from andreas@localhost) by klemm.gtn.com (8.8.7/8.8.7) id HAA25435; Thu, 11 Sep 1997 07:56:04 +0200 (CEST) Message-ID: <19970911075604.13003@klemm.gtn.com> Date: Thu, 11 Sep 1997 07:56:04 +0200 From: Andreas Klemm To: Torsten Blum Cc: Mark Murray , ports@freebsd.org Subject: Re: Major bogon in tcp_wrappers port. References: <199709101631.SAA00382@greenpeace.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.79 In-Reply-To: ; from Torsten Blum on Thu, Sep 11, 1997 at 12:03:44AM +0200 X-Disclaimer: A free society is one where it is safe to be unpopular X-Operating-System: FreeBSD 3.0-CURRENT SMP Sender: owner-freebsd-ports@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, Sep 11, 1997 at 12:03:44AM +0200, Torsten Blum wrote: > Mark Murray wrote: > > > (Sendmail has such hooks, so does ssh (and I believe cvsupd as well?)) > > Uh, I tought this was a joke... > > Why should we move tcpwrapper to the base system ? I can't see an > advantage here. So that we can say, FreeBSD is secure automatically. I don't know if you noticed Jordans letter to a WWW online computer magazine to their review of FreeBSD vs. SCO, NT and others. They for example tested every system "as is". So I think it's a big win for security and marketing, if we can say, that our system is secured by default ! > tcpd is an easy "plug in" and one of it's "advantages" is that you just > have to change inetd.conf - no compile-time changes. Yes, agreed. And in addition to that nice feature we discuss, to strengthen security of the base system with that fine tool ;-) > It's harder to configure hosts.{allow,deny} then changing inetd.conf. Hmm, where's the logic here ? If you don't have a hosts.allow and hosts.deny, then mothing happens ... so no extra work needed ;-) But if you need it, then you are able to fine tune the system and the knobs are already _there_ ;-) > Aeh, that's why we have the ports tree. If something is really optional > and you just have to change a config file why should it be moved to > the base system ? Maybe to include some extra functionality per default with respect to internet security ?! > > Negotiable. I kinda like the idea if two files - inetd.conf.dist and > > inetd.conf.wrap.dist, and some install option to choose one. > > We don't need to have tcpwrapper in the base system to provide an > example config file. No, the question was, how to invoke or disable tcp_wrappers with simple knobs in rc.conf or something else ... -- Andreas Klemm | klemm.gtn.com - powered by Symmetric MultiProcessor FreeBSD http://www.freebsd.org/~fsmp/SMP/SMP.html http://www.freebsd.org/~fsmp/SMP/benches.html