conf/112441: deprecated lines in /etc/hosts.allow
Andy Kosela
andy.kosela at gmail.com
Sun May 27 13:10:12 UTC 2007
The following reply was made to PR conf/112441; it has been noted by GNATS.
From: "Andy Kosela" <andy.kosela at gmail.com>
To: "Giorgos Keramidas" <keramida at freebsd.org>
Cc: bug-followup at freebsd.org
Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow
Date: Sun, 27 May 2007 15:03:58 +0200
On 5/26/07, Giorgos Keramidas <keramida at freebsd.org> wrote:
> On 2007-05-05 13:12, Andy Kosela wrote:
> > The following lines in /etc/hosts.allow are deprecated and
> > should be removed. From my understanding of how tcpd is built,
> > it is built by default with -DPARANOID option turned on so all
> > requests from DNS mismatched clients are dropped BEFORE looking
> > at the access tables.
> >
> > /etc/hosts.allow:
> > # Protect against simple DNS spoofing attacks by checking that the
> > # forward and reverse records for the remote host match. If a mismatch
> > # occurs, access is denied, and any positive ident response within
> > # 20 seconds is logged. No protection is afforded against DNS poisoning,
> > # IP spoofing or more complicated attacks. Hosts with no reverse DNS
> > # pass this rule.
> > ALL : PARANOID : RFC931 20 : deny
>
> Hi Andy,
>
> I don't see -DPARANOID in our src/lib/libwrap Makefile.
> Are you sure it is the default mode of operation?
>
> - Giorgos
>
>
Hi Giorgos,
from src/contrib/tcp_wrappers/Makefile:
PARANOID= -DPARANOID
but you are right, i didn't notice FreeBSD tcpd is built using src/lib/libwrap.
So if i understand correctly DNS mismatched clients are permitted by
default FreeBSD installation according to the first entry in
/etc/hosts.allow:
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
Do you think this is secure enough? Personally i think that somebody
who tries to spoof
DNS is potentially an attacker and should be blocked.
I see two options here:
either add -DPARANOID option as default (it is logically correct to
block all DNS mismatched clients, and it is the default operation of
contrib tcpd code.
or
put ALL : PARANOID : RFC931 20 : deny before ALL : ALL : allow in order to help
secure the default FreeBSD installations.
best regards,
Andy Kosela
Pythagoras Foundation
More information about the freebsd-bugs
mailing list