conf/112441: deprecated lines in /etc/hosts.allow
Andy Kosela
andy.kosela at gmail.com
Sat May 5 13:20:02 UTC 2007
>Number: 112441
>Category: conf
>Synopsis: deprecated lines in /etc/hosts.allow
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat May 05 13:20:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Andy Kosela
>Release: 6.2-RELEASE
>Organization:
>Environment:
FreeBSD plato.domain 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The following lines in /etc/hosts.allow are deprecated and should be removed.
>From my understanding of how tcpd is built, it is built by default with -DPARANOID
option turned on so all requests from DNS mismatched clients are dropped BEFORE
looking at the access tables.
/etc/hosts.allow:
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list