[649] in linux-security and linux-alert archive
Re: [linux-security] Summary re: syslogd spam
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Tue Apr 2 18:07:42 1996
Resent-From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
Resent-To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of Tue, April 2, 1996 07:10:09 -0800
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: cschuber@orca.gov.bc.ca
Cc: Olaf Kirch <okir@monad.swb.de>, linux-security@tarsier.cv.nrao.edu
Date: Tue, 2 Apr 1996 11:34:13 -0500
[...Discussion regarding new sysklogd v1.3 release and its "-r"
option...]
"CS" == Cy Schubert <- ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>> writes:
CS> Many of these features, though nice to have, are redundant.
Agreed, with qualification.
CS> 1. IP firewalling is already built into the kernel. All you need
CS> to do is block port 514.
But I thought I'd point this feature of sysklogd v1.3 out anyway, mainly
because--especially for newcomers to Linux--blocking syslogd spam is
much easier to do by running syslogd without the "-r" option than by
learning how to write effective firewalling rules. It's also less
likely to put the machine into a "funny" state (as mistakes in
firewalling rules have been known to do...I know this from regrettable
experience <grin>). I consider firewalling to be a moderately advanced
topic, and I don't expect newcomers to networking, UNIX, Linux, etc., to
understand it all immediately....
If someone is already using firewalling rules then this new syslogd
feature doesn't really buy him/her anything. But if the only thing
someone wants to block/protect is their syslog port then this is a handy
and easy to use feature.
CS> 2. What if you want to allow some hosts to log to your server while
CS> disallowing the reset of the Internet? There are two possible
CS> solutions. Either use IP firewalling already built into the kernel
CS> or build a TCP/Wrapper interface into sysklogd. Using the existing
CS> IP firewall code already in the kernel is cheaper (less effort).
CS> (Why not enable the firewall code in the kernel by default?)
I brought up the possibility of linking against libwrap with Greg
Wettstein when I got the early 1.3 beta code from him. He'd apparently
already considered it, and he held essentially the same view as you
state above: using the kernel's firewalling feature is just as effective
and it doesn't require extra coding, an extra library, etc.
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/
