Clear up what the line "ALL : PARANOID : RFC931 20 : deny" means

to tcp wrappers. The description is a little long, but hopefully accurate.
author: dwmalone <dwmalone@FreeBSD.org> 2001-08-18 14:22:52 +0000
committer: dwmalone <dwmalone@FreeBSD.org> 2001-08-18 14:22:52 +0000
commit: 4449dfd72779ccc7d13c9e1dcc146cff9e709a9d (patch)
tree: 41389ea5f9b532d7e6fa7fb15010101aab0a4e77 /etc/hosts.allow
parent: cfa5d0ff529c7c68582be2d05f344e470d61c5df (diff)
download: FreeBSD-src-4449dfd72779ccc7d13c9e1dcc146cff9e709a9d.zip
FreeBSD-src-4449dfd72779ccc7d13c9e1dcc146cff9e709a9d.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/hosts.allow b/etc/hosts.allow
index ff95ee8..f4e1353 100644
--- a/etc/hosts.allow
+++ b/etc/hosts.allow
@@ -26,7 +26,12 @@ ALL : ALL : allow
 # need to do it, here's how
 #sshd : .evil.cracker.example.com : deny 
 
-# Provide some protection against clients using a forged source IP address
+# Protect against simple DNS spoofing attacks by checking that the
+# forward and reverse records for the remote host match. If a mismatch
+# occurs, access is denied, and any positive ident response within
+# 20 seconds is logged. No protection is afforded against DNS poisoning,
+# IP spoofing or more complicated attacks. Hosts with no reverse DNS
+# pass this rule.
 ALL : PARANOID : RFC931 20 : deny
 
 # Allow anything from localhost.  Note that an IP address (not a host
author	dwmalone <dwmalone@FreeBSD.org>	2001-08-18 14:22:52 +0000
committer	dwmalone <dwmalone@FreeBSD.org>	2001-08-18 14:22:52 +0000
commit	4449dfd72779ccc7d13c9e1dcc146cff9e709a9d (patch)
tree	41389ea5f9b532d7e6fa7fb15010101aab0a4e77 /etc/hosts.allow
parent	cfa5d0ff529c7c68582be2d05f344e470d61c5df (diff)
download	FreeBSD-src-4449dfd72779ccc7d13c9e1dcc146cff9e709a9d.zip FreeBSD-src-4449dfd72779ccc7d13c9e1dcc146cff9e709a9d.tar.gz