On Wed, Nov 29, 2000 at 02:35:44AM +0100, Gregor Binder wrote:
William Yodlowsky on Tue, Nov 28, 2000 at 07:35:42PM -0500:
Could it perhaps link to TCP Wrappers' libwrap instead?
I agree. I think having to maintain packet filter configurations for every system that serves a critical function is a bit much. Plus, the wrappers are supported on and the configuration is portable to many UNIX systems. Also, some commercial UNIX systems are not shipped with packet filtering capabilities.
That's what I had in mind :-)
When I suggested this to Balazs, he correctly said that tcp PARANOID checking could easily DoS your nameserver when it is used to control access to your syslog/udp.
Ah, a good point. IMHO a warning during the configure phase and a blurb in INSTALL would be enough, though. I haven't been on this list very long, but I would hope people replacing their syslogd would at least read INSTALL :)
You could also produce nice effects by logging access to the syslog port to a remote machine, which in turn for security reasons sends all network access information to you as a replication means :)
I dare say I was thinking about that too...
I still think it would be really nice to have, especially because it's portable, well tested and I believe lots of people still use it for non-firewall machines. I do :)
I second the motion!