conf/112441: deprecated lines in /etc/hosts.allow

Giorgos Keramidas keramida at
Sat May 26 15:50:10 UTC 2007

The following reply was made to PR conf/112441; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at>
To: Andy Kosela <andy.kosela at>
Cc: bug-followup at
Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow
Date: Sat, 26 May 2007 18:39:59 +0300 (EEST)

 On 2007-05-05 13:12, Andy Kosela wrote:
 > The following lines in /etc/hosts.allow are deprecated and
 > should be removed. From my understanding of how tcpd is built,
 > it is built by default with -DPARANOID option turned on so all
 > requests from DNS mismatched clients are dropped BEFORE looking
 > at the access tables.
 > /etc/hosts.allow:
 > # Protect against simple DNS spoofing attacks by checking that the
 > # forward and reverse records for the remote host match. If a mismatch
 > # occurs, access is denied, and any positive ident response within
 > # 20 seconds is logged. No protection is afforded against DNS poisoning,
 > # IP spoofing or more complicated attacks. Hosts with no reverse DNS
 > # pass this rule.
 > ALL : PARANOID : RFC931 20 : deny
 Hi Andy,
 I don't see -DPARANOID in our src/lib/libwrap Makefile.
 Are you sure it is the default mode of operation?
 - Giorgos

More information about the freebsd-bugs mailing list