summaryrefslogtreecommitdiff
path: root/libexec
diff options
context:
space:
mode:
Diffstat (limited to 'libexec')
-rw-r--r--libexec/tcpd/BLURB26
-rw-r--r--libexec/tcpd/CHANGES15
-rw-r--r--libexec/tcpd/README15
3 files changed, 35 insertions, 21 deletions
diff --git a/libexec/tcpd/BLURB b/libexec/tcpd/BLURB
index cc95cf74285..8d82fa7826f 100644
--- a/libexec/tcpd/BLURB
+++ b/libexec/tcpd/BLURB
@@ -1,5 +1,5 @@
-$OpenBSD: BLURB,v 1.1 1997/02/26 06:00:30 downsj Exp $
-@(#) BLURB 1.27 97/02/12 02:13:17
+$OpenBSD: BLURB,v 1.2 1997/06/01 05:21:39 downsj Exp $
+@(#) BLURB 1.28 97/03/21 19:27:18
With this package you can monitor and filter incoming requests for the
SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
@@ -12,20 +12,18 @@ requested service; the wrappers do not exchange information with the
client or server applications, and impose no overhead on the actual
conversation between the client and server applications.
-This patch upgrades the tcp wrappers version 7.4 source code to version
-7.5. Highlights of this release:
-
- - Support for more UNIX system types.
-
- - Improved protection against IP spoofing attacks with source-routed
- TCP connections, by refusing them. This protection is not enabled by
- default.
+This patch upgrades the tcp wrappers version 7.5 source code to
+version 7.6. The source-routing protection in version 7.5 was not
+as strong as it could be. And all this effort was not needed with
+modern UNIX systems that can already stop source-routed traffic in
+the kernel. Examples are 4.4BSD derivatives, Solaris 2.x, and Linux.
This release does not introduce new features. Do not bother applying
-this patch when you built your current tcp wrapper without enabling the
-KILL_OPTIONS compiler switch. The patch is not useful for obsolete UNIX
-versions that pre-date 4.4BSD, such as SunOS 4. Such systems are unable
-to receive source-routed connections and are therefore not vulnerable
+this patch when you built your version 7.x tcp wrapper without
+enabling the KILL_IP_OPTIONS compiler switch; when you can disable
+IP source routing options in the kernel; when you run a UNIX version
+that pre-dates 4.4BSD, such as SunOS 4. Such systems are unable to
+receive source-routed connections and are therefore not vulnerable
to IP spoofing attacks with source-routed TCP connections.
A complete change log is given in the CHANGES document. As always,
diff --git a/libexec/tcpd/CHANGES b/libexec/tcpd/CHANGES
index 7b4c3c72368..aa23b243f62 100644
--- a/libexec/tcpd/CHANGES
+++ b/libexec/tcpd/CHANGES
@@ -1,10 +1,23 @@
-$OpenBSD: CHANGES,v 1.1 1997/02/26 06:00:31 downsj Exp $
+$OpenBSD: CHANGES,v 1.2 1997/06/01 05:21:39 downsj Exp $
Request: after building the programs, please run the `tcpdchk' wrapper
configuration checker. See the `tcpdchk.8' manual page (`nroff -man'
format) for instructions. `tcpdchk' automatically identifies the most
common configuration problems, and will save you and me a lot of time.
+Changes per release 7.6 (Mar 1997)
+==================================
+
+- Improved the anti source-routing protection. The code in version
+7.5 was not as strong as it could be, because I tried to be compatible
+with Linux. That was a mistake. Sorry for the inconvenience.
+
+- The program no longer terminates case of a source-routed connection,
+making the IP-spoofing code more usable for long-running daemons.
+
+- When syslogging DNS hostname problems, always stop after a limited
+number of characters.
+
Changes per release 7.5 (Feb 1997)
==================================
diff --git a/libexec/tcpd/README b/libexec/tcpd/README
index 3d3f1f1c65b..1e52463617d 100644
--- a/libexec/tcpd/README
+++ b/libexec/tcpd/README
@@ -1,7 +1,7 @@
-$OpenBSD: README,v 1.1 1997/02/26 06:00:35 downsj Exp $
-@(#) README 1.29 97/02/12 02:13:20
+$OpenBSD: README,v 1.2 1997/06/01 05:21:40 downsj Exp $
+@(#) README 1.30 97/03/21 19:27:21
-This is the 7.5 version of the TCP/IP daemon wrapper package.
+This is the 7.6 version of the TCP/IP daemon wrapper package.
Thank you for using this program. If you like it, send me a postcard.
My postal address is at the bottom of this file.
@@ -329,9 +329,12 @@ very few, if any, UNIX vendors have adopted it. Our site, and many
other ones, has been running these enhanced daemons for several years,
and without any ill effects.
-When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
+When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
programs refuse to service TCP connections with IP source routing
-options.
+options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
+that can stop source-routed traffic in the kernel. Examples are
+4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
+for details.
If you are going to use this feature on SunOS 4.1.x you should apply
patch 100804-03+ or 101790-something depending on your SunOS version.
@@ -535,7 +538,7 @@ of the noise. A more powerful tool is the Swatch monitoring system by
Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in
real time and can associate arbitrary actions with patterns; its
applications are by no means restricted to security. Swatch is
-available from sierra.stanford.edu, directory /pub/sources.
+available ftp.stanford.edu, directory /general/security-tools/swatch.
Socks, described in the UNIX Security III proceedings, can be used to
control network traffic from hosts on an internal network, through a