From nobody@FreeBSD.org  Sat May  5 13:17:30 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0F61816A400
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  5 May 2007 13:17:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 026F713C448
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  5 May 2007 13:17:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l45DHTAq061203
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 5 May 2007 13:17:29 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l45DCRfp051001;
	Sat, 5 May 2007 13:12:27 GMT
	(envelope-from nobody)
Message-Id: <200705051312.l45DCRfp051001@www.freebsd.org>
Date: Sat, 5 May 2007 13:12:27 GMT
From: Andy Kosela<andy.kosela@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: deprecated lines in /etc/hosts.allow
X-Send-Pr-Version: www-3.0

>Number:         112441
>Category:       conf
>Synopsis:       deprecated lines in /etc/hosts.allow
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 05 13:20:01 GMT 2007
>Closed-Date:    Thu Nov 01 19:40:08 UTC 2012
>Last-Modified:  Thu Nov 01 19:40:08 UTC 2012
>Originator:     Andy Kosela
>Release:        6.2-RELEASE
>Organization:
>Environment:
FreeBSD plato.domain 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The following lines in /etc/hosts.allow are deprecated and should be removed.
From my understanding of how tcpd is built, it is built by default with
-DPARANOID option turned on so all requests from DNS mismatched clients are
dropped BEFORE
looking at the access tables.

/etc/hosts.allow:
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny


>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@freebsd.org>
To: Andy Kosela <andy.kosela@gmail.com>
Cc: bug-followup@freebsd.org
Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow
Date: Sat, 26 May 2007 18:39:59 +0300 (EEST)

 On 2007-05-05 13:12, Andy Kosela wrote:
 > The following lines in /etc/hosts.allow are deprecated and
 > should be removed. From my understanding of how tcpd is built,
 > it is built by default with -DPARANOID option turned on so all
 > requests from DNS mismatched clients are dropped BEFORE looking
 > at the access tables.
 >
 > /etc/hosts.allow:
 > # Protect against simple DNS spoofing attacks by checking that the
 > # forward and reverse records for the remote host match. If a mismatch
 > # occurs, access is denied, and any positive ident response within
 > # 20 seconds is logged. No protection is afforded against DNS poisoning,
 > # IP spoofing or more complicated attacks. Hosts with no reverse DNS
 > # pass this rule.
 > ALL : PARANOID : RFC931 20 : deny
 
 Hi Andy,
 
 I don't see -DPARANOID in our src/lib/libwrap Makefile.
 Are you sure it is the default mode of operation?
 
 - Giorgos
 

From: "Andy Kosela" <andy.kosela@gmail.com>
To: "Giorgos Keramidas" <keramida@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: conf/112441: deprecated lines in /etc/hosts.allow
Date: Sun, 27 May 2007 15:03:58 +0200

 On 5/26/07, Giorgos Keramidas <keramida@freebsd.org> wrote:
 > On 2007-05-05 13:12, Andy Kosela wrote:
 > > The following lines in /etc/hosts.allow are deprecated and
 > > should be removed. From my understanding of how tcpd is built,
 > > it is built by default with -DPARANOID option turned on so all
 > > requests from DNS mismatched clients are dropped BEFORE looking
 > > at the access tables.
 > >
 > > /etc/hosts.allow:
 > > # Protect against simple DNS spoofing attacks by checking that the
 > > # forward and reverse records for the remote host match. If a mismatch
 > > # occurs, access is denied, and any positive ident response within
 > > # 20 seconds is logged. No protection is afforded against DNS poisoning,
 > > # IP spoofing or more complicated attacks. Hosts with no reverse DNS
 > > # pass this rule.
 > > ALL : PARANOID : RFC931 20 : deny
 >
 > Hi Andy,
 >
 > I don't see -DPARANOID in our src/lib/libwrap Makefile.
 > Are you sure it is the default mode of operation?
 >
 > - Giorgos
 >
 >
 
 Hi Giorgos,
 
 from src/contrib/tcp_wrappers/Makefile:
 
 PARANOID= -DPARANOID
 
 but you are right, i didn't notice FreeBSD tcpd is built using src/lib/libwrap.
 So if i understand correctly DNS mismatched clients are permitted by
 default FreeBSD installation according to the first entry in
 /etc/hosts.allow:
 
 # Start by allowing everything (this prevents the rest of the file
 # from working, so remove it when you need protection).
 # The rules here work on a "First match wins" basis.
 ALL : ALL : allow
 
 Do you think this is secure enough? Personally i think that somebody
 who tries to spoof
 DNS is potentially an attacker and should be blocked.
 
 I see two options here:
 either add -DPARANOID option as default (it is logically correct to
 block all DNS mismatched clients, and it is the default operation of
 contrib tcpd code.
 or
 put ALL : PARANOID : RFC931 20 : deny before ALL : ALL : allow in order to help
 secure the default FreeBSD installations.
 
 best regards,
 Andy Kosela
 Pythagoras Foundation
State-Changed-From-To: open->closed 
State-Changed-By: eadler 
State-Changed-When: Thu Nov 1 19:40:07 UTC 2012 
State-Changed-Why:  
dns mismatches are common and we should not break connections from such 
hosts in the default install 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112441 
>Unformatted:
