conf/112441: deprecated lines in /etc/hosts.allow
andy.kosela at gmail.com
Sat May 5 13:20:02 UTC 2007
>Synopsis: deprecated lines in /etc/hosts.allow
>Arrival-Date: Sat May 05 13:20:01 GMT 2007
>Originator: Andy Kosela
FreeBSD plato.domain 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
The following lines in /etc/hosts.allow are deprecated and should be removed.
>From my understanding of how tcpd is built, it is built by default with -DPARANOID
option turned on so all requests from DNS mismatched clients are dropped BEFORE
looking at the access tables.
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny
More information about the freebsd-bugs