Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!rutgers!sri-unix!hplabs!decwrl!pyramid!prls!philabs!ttidca!mb
From: mb@ttidca.UUCP (Michael Bloom)
Newsgroups: comp.dcom.lans
Subject: Re: one way networking
Message-ID: <327@ttidca.UUCP>
Date: Fri, 23-Jan-87 02:14:02 EST
Article-I.D.: ttidca.327
Posted: Fri Jan 23 02:14:02 1987
Date-Received: Sat, 24-Jan-87 12:49:07 EST
References: <1740@crcge1.UUCP> <591@brl-sem.ARPA>
Reply-To: mb@ttidca.UUCP (Michael Bloom)
Organization: CitiCorp TTI, Santa Monica, Ca.
Lines: 22
Summary: here's a less radical solution

In article <591@brl-sem.ARPA> ron@brl-sem.ARPA (Ron Natalie <ron>) writes:

>Remove the daemons (rlogind, rshd, telnetd...) from the machine you want
>to avoid incoming connections on.  Or remove their start up from /etc/passwd
>(or comment them out of inet.conf if you are using that).

That was my first thought too, but it seems like overkill.  He only
wants to disable outbound connections from that one machine. Using
daemon removal as his solution would require removing those daemons
from all other connectable machines but the one, which may be more
disabling than he wishes. There may be some pairs of machines he does
not wish to disable.

Much simpler would be to just turn off the 's' bit on the rlogin, etc,
programs.  It won't matter if users make their own copies of these
programs, as their corresponding servers are listening on privileged
ports, and if the process attempting the connection is not running as
root, it can not succeed.


Of course this fails if they have a zillion roots, but then they would
have little opportunity for security anyway.