conf/112441: deprecated lines in /etc/hosts.allow
Giorgos Keramidas
keramida at freebsd.org
Sat May 26 15:50:10 UTC 2007
The following reply was made to PR conf/112441; it has been noted by GNATS.
From: Giorgos Keramidas <keramida at freebsd.org>
To: Andy Kosela <andy.kosela at gmail.com>
Cc: bug-followup at freebsd.org
Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow
Date: Sat, 26 May 2007 18:39:59 +0300 (EEST)
On 2007-05-05 13:12, Andy Kosela wrote:
> The following lines in /etc/hosts.allow are deprecated and
> should be removed. From my understanding of how tcpd is built,
> it is built by default with -DPARANOID option turned on so all
> requests from DNS mismatched clients are dropped BEFORE looking
> at the access tables.
>
> /etc/hosts.allow:
> # Protect against simple DNS spoofing attacks by checking that the
> # forward and reverse records for the remote host match. If a mismatch
> # occurs, access is denied, and any positive ident response within
> # 20 seconds is logged. No protection is afforded against DNS poisoning,
> # IP spoofing or more complicated attacks. Hosts with no reverse DNS
> # pass this rule.
> ALL : PARANOID : RFC931 20 : deny
Hi Andy,
I don't see -DPARANOID in our src/lib/libwrap Makefile.
Are you sure it is the default mode of operation?
- Giorgos
More information about the freebsd-bugs
mailing list