conf/112441: deprecated lines in /etc/hosts.allow

Andy Kosela andy.kosela at gmail.com
Sun May 27 13:10:12 UTC 2007 

The following reply was made to PR conf/112441; it has been noted by GNATS.

From: "Andy Kosela" <andy.kosela at gmail.com>
To: "Giorgos Keramidas" <keramida at freebsd.org>
Cc: bug-followup at freebsd.org
Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow
Date: Sun, 27 May 2007 15:03:58 +0200

 On 5/26/07, Giorgos Keramidas <keramida at freebsd.org> wrote:
 > On 2007-05-05 13:12, Andy Kosela wrote:
 > > The following lines in /etc/hosts.allow are deprecated and
 > > should be removed. From my understanding of how tcpd is built,
 > > it is built by default with -DPARANOID option turned on so all
 > > requests from DNS mismatched clients are dropped BEFORE looking
 > > at the access tables.
 > >
 > > /etc/hosts.allow:
 > > # Protect against simple DNS spoofing attacks by checking that the
 > > # forward and reverse records for the remote host match. If a mismatch
 > > # occurs, access is denied, and any positive ident response within
 > > # 20 seconds is logged. No protection is afforded against DNS poisoning,
 > > # IP spoofing or more complicated attacks. Hosts with no reverse DNS
 > > # pass this rule.
 > > ALL : PARANOID : RFC931 20 : deny
 >
 > Hi Andy,
 >
 > I don't see -DPARANOID in our src/lib/libwrap Makefile.
 > Are you sure it is the default mode of operation?
 >
 > - Giorgos
 >
 >
 
 Hi Giorgos,
 
 from src/contrib/tcp_wrappers/Makefile:
 
 PARANOID= -DPARANOID
 
 but you are right, i didn't notice FreeBSD tcpd is built using src/lib/libwrap.
 So if i understand correctly DNS mismatched clients are permitted by
 default FreeBSD installation according to the first entry in
 /etc/hosts.allow:
 
 # Start by allowing everything (this prevents the rest of the file
 # from working, so remove it when you need protection).
 # The rules here work on a "First match wins" basis.
 ALL : ALL : allow
 
 Do you think this is secure enough? Personally i think that somebody
 who tries to spoof
 DNS is potentially an attacker and should be blocked.
 
 I see two options here:
 either add -DPARANOID option as default (it is logically correct to
 block all DNS mismatched clients, and it is the default operation of
 contrib tcpd code.
 or
 put ALL : PARANOID : RFC931 20 : deny before ALL : ALL : allow in order to help
 secure the default FreeBSD installations.
 
 best regards,
 Andy Kosela
 Pythagoras Foundation

More information about the freebsd-bugs mailing list