William Yodlowsky on Tue, Nov 28, 2000 at 07:35:42PM -0500: Hi,
Could it perhaps link to TCP Wrappers' libwrap instead?
Personally, I'd prefer that to most other options I can think of for basic control like this.
I agree. I think having to maintain packet filter configurations for every system that serves a critical function is a bit much. Plus, the wrappers are supported on and the configuration is portable to many UNIX systems. Also, some commercial UNIX systems are not shipped with packet filtering capabilities. When I suggested this to Balazs, he correctly said that tcp PARANOID checking could easily DoS your nameserver when it is used to control access to your syslog/udp. Obviously, the same goes for rfc931 (ident), spawn and other nice hosts.* directives. You could also produce nice effects by logging access to the syslog port to a remote machine, which in turn for security reasons sends all network access information to you as a replication means :) I still think it would be really nice to have, especially because it's portable, well tested and I believe lots of people still use it for non-firewall machines. I do :) Greetings, Gregor. -- Gregor Binder <gbinder@sysfive.com> http://www.sysfive.com/~gbinder/ sysfive.com GmbH UNIX. Networking. Security. Applications. Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482