Date: 29 Jul 1998 22:45:50 +0200 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: sthaug@nethelp.no Cc: benedikt@devnull.ruhr.de, marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) Message-ID: <87d8aos7wh.fsf@devnull.ruhr.de> In-Reply-To: sthaug@nethelp.no's message of "Wed, 29 Jul 1998 20:08:54 %2B0200" References: <87af5um74j.fsf@devnull.ruhr.de> <2983.901735734@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
sthaug@nethelp.no writes: [Re: Filtering packets coming in through the "wrong" interface] > > I'd use a packet filter for that, something like > > Certainly you can do that - but it seems like a rather heavyweight > method of solving this particular problem. I'd like to have something > that could be twiddled with sysctl myself. Point taken. But let me play the advocatus diaboli for a moment: - If we put everything that may be reasonable for some people and/or situations into the kernel we risk to end up with a system that's as sluggish as Solaris (not to mention something like NT). - As long as we're dealing with security, a smaller system is inherently less insecure because it'll contain less bugs. The filter you propose doesn't provide additional functionality that can't be done through the packet filter mechanism. To achieve maximum "orthogonality" it should be left out. - If your system lives on a network with potentially malicious packets coming in, you better use a proper packet filter anyway as part of securing that machine properly. If you don't have to worry about possible attacks (because you've got a firewall in place and trust the local machines) you don't really need for such a filter. As a consequence there shouldn't be the widespread use for this feature to justify it being put into the kernel. Of course I'm somewhat biased because I think that the only way to build a reasonably secure system is to stick with those abstract rules of thumb like "maximizing orthogonality" and "minimizing total system size" and such. And since I feel reasonably comfortable setting up a packet filter I don't feel as much of a pressing need for this feature as someone who's only started trying to figure out what a packet filter is. Anyway, your proposal isn't something I'd feel like getting religious about. If someone provides the code and someone with commit privilege is willing to integrate it into the source tree I'd just go on with life as before :-) So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87d8aos7wh.fsf>