From 1139160ec0b7e240b298d56cb3672d87e9370461 Mon Sep 17 00:00:00 2001
From: David Malone <dwmalone@FreeBSD.org>
Date: Sat, 18 Aug 2001 14:22:52 +0000
Subject: [PATCH] Clear up what the line "ALL : PARANOID : RFC931 20 : deny"
 means to tcp wrappers. The description is a little long, but hopefully
 accurate.

---
 etc/hosts.allow | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/etc/hosts.allow b/etc/hosts.allow
index ff95ee8b3d7d..f4e1353b571e 100644
--- a/etc/hosts.allow
+++ b/etc/hosts.allow
@@ -26,7 +26,12 @@ ALL : ALL : allow
 # need to do it, here's how
 #sshd : .evil.cracker.example.com : deny 
 
-# Provide some protection against clients using a forged source IP address
+# Protect against simple DNS spoofing attacks by checking that the
+# forward and reverse records for the remote host match. If a mismatch
+# occurs, access is denied, and any positive ident response within
+# 20 seconds is logged. No protection is afforded against DNS poisoning,
+# IP spoofing or more complicated attacks. Hosts with no reverse DNS
+# pass this rule.
 ALL : PARANOID : RFC931 20 : deny
 
 # Allow anything from localhost.  Note that an IP address (not a host