From volf@oasis.IAEhv.nl  Fri Dec  5 05:16:22 1997
Received: from news.IAEhv.nl (root@news.IAEhv.nl [194.151.64.4])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id FAA24276
          for <freebsd-gnats-submit@freebsd.org>; Fri, 5 Dec 1997 05:16:21 -0800 (PST)
          (envelope-from volf@oasis.IAEhv.nl)
Received: from oasis.IAEhv.nl (uucp@localhost) 
          by news.IAEhv.nl (8.6.13/1.63) with IAEhv.nl; pid 19976
          on Fri, 5 Dec 1997 13:16:19 GMT; id NAA19976
          efrom: volf@oasis.IAEhv.nl; eto: freebsd.org!freebsd-gnats-submit
Received: from LOCAL (volf@localhost) 
          by oasis.IAEhv.nl (8.8.7/1.63); pid 17921 
          on Fri, 5 Dec 1997 12:37:54 GMT; id MAA17921
          efrom: volf; eto: UNKNOWN
Message-Id: <199712051237.MAA17921@oasis.IAEhv.nl>
Date: Fri, 5 Dec 1997 12:37:54 GMT
From: volf@oasis.IAEhv.nl (Frank Volf)
Reply-To: volf@oasis.IAEhv.nl
To: FreeBSD-gnats-submit@freebsd.org
Cc: volf@oasis.IAEhv.nl
Subject: tcpwrappers/identd should belong to the base system
X-Send-Pr-Version: 3.2

>Number:         5234
>Category:       misc
>Synopsis:       tcpwrappers/identd should belong to the base system
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec  5 05:20:01 PST 1997
>Closed-Date:    Sun Apr 19 00:08:33 PDT 1998
>Last-Modified:  Sun Apr 19 00:08:59 PDT 1998
>Originator:     Frank Volf
>Release:        FreeBSD 2.2.5-STABLE i386
>Organization:
Frank Volf's private UUCP site, Eindhoven, the Netherlands
>Environment:
>Description:

FreeBSD is presented as an ideal Internet or Intranet server (which is of
course unquestionable). It takes almost no work to configure a fully
functional and reliable Internet server using a FreeBSD cdrom.
Unfortunately, in my opinion, the *base* system does not come with all
security bits enabled that should be enabled on a secure internet server.

In particular, I believe that the base FreeBSD system, should have the
tcpwrappers and the identd programs installed. These program can of course
be installed as packages or ports, but installing them (especially
tcpwrappers) requires specific knowledge and configuration, that should be
done by a system administrator after the system has been configured.

I think the security of FreeBSD (and the security awareness of FreeBSD
owners) can be increased by moving these programs from packages to the base
FreeBSD system and enabling them by default in /etc/inetd.conf.  With
enabling the tcpwrappers I don't mean to prohibit connections to the system,
a "permit all" in /etc/host.allow is perfectly accepatable as a default. But
by having a /etc/hosts.{allow,deny} in the base system and tcpwrappers
enabled by default, we make it a lot easier for people to make their system
secure. Also, the tcpwrappers allow us to log more information about who
is using what service.

The identd is a too valuable program for tracking down problems, not to
have in the base system.

Thankx,

            Frank
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Sun Apr 19 00:08:33 PDT 1998 
State-Changed-Why:  
This has been discussed before and not agreed to 
>Unformatted:
