I will be out of the office starting 02/14/2002 and will not return until
02/18/2002.
The information contained in this transmission, which may be
confidential and proprietary, is only for the intended
My original question was:
I have the proxy firewall, Raptor EC 4.1 with the OS Digital UNIX,
this
proxy is the DNS primary server for my domain, the normal nslookup is:
root@proxy # nslookup marte
Server: localhost
Address: 127.0.0.1
Name:marte.csia
Address: 172.21.x.x
NOW
I mean a DMZ definied by switch
Glenn
Shiffer
Hi all,
Since yesterday our Raptor 6.5 log is showing the folowing httpd note:
Can't parse url (GET
/scripts/cms/CMS.ASP?ID=200101D2=^__DCK@???@K?AW=167LV=2045M
U=1013143361ER=CAP@LC=20011221:1CF=20AD=12
RA0=178884DA0=2RA1=168602DA1=1RA2=178878DA2=1RA3=178886DA3=1NP=
You have run nmap from the DMZ?
-Original Message-
From: irado furioso com tudo [mailto:[EMAIL PROTECTED]]
Sent: terça-feira, 12 de Fevereiro de 2002 20:17
To: [EMAIL PROTECTED]
Subject: stuck with FreeBSD and Ipfilter
I am stuck with a request from a client. A FreeBSD box, with 3
Bruno Fernandes wrote:
note: even changing rules a lot, I am unable to do this. Then I just
tryied to 'block everything for that machine':
:=== begin
block in quick from any to 192.168.1.89
block out quick from any to 192.168.1.89
block in quick from 192.168.1.89 to any
:===
but
I am using ipfilter for this setup.
note: even changing rules a lot, I am unable to do this. Then I just
tryied to 'block everything for that machine':
:=== begin
block in quick from any to 192.168.1.89
block out quick from any to 192.168.1.89
block in quick from 192.168.1.89 to any
:===
A
Hi,
I just inherited a PIX 515 firewall which was previously managed by our
hosting company. I am used to manage a FW-1 on windows, so managing the PIX
via telnet takes a bit of getting used to.
After reading the manuals and poking around a bit, I finally took the step
and added an access-list
On 14 Feb 2002 at 14:26, Rasmus Aaen wrote:
The access-list group for outbound connections ends with a deny all rule,
which is fine. But when I added the new rule, it was placed under the deny
all rule. So i had to remove the deny all rule and add it again to get
the order right. Is it
What OS are you running? Under 4.x the order doesn't matter as you should
The OS is v6.1
I tried PFM with 4.4 and it was a disaster. Apart from crashing regularly
and not being able to read most of my config I couldn't get it to write
back to the PIX. I've heard the new one for OS v6.x
The access-list group for outbound connections ends with a
deny all rule, which is fine. But when I added the new
rule, it was placed under the deny all rule. So i had to
remove the deny all rule and add it again to get the order
right. Is it possible to specify where a new rule should
Our network use 2 PIX 525 with PIX 6.0 software and
i want to test them to
ensure that we're secure.
pleasegive mesomeideahow to
test them and the vulnerable of this version
of PIX
thanx,
bank
Hi all,
The question is, can it be done?
And does anyone have a sample config for both the PIX (515) FreeBSD (4.5)
with racoon.
Thanks,
Warren
[EMAIL PROTECTED]
___
Firewalls mailing list
[EMAIL PROTECTED]
Hi again,
Another question about my newly inherited PIX. The following rules confuse
me a bit:
access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 any eq domain
access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 eq domain any
gt 1023
The first one is obvious - any
I am planning to write a software firewall (something
that works like ZoneAlarm). What language do you
think I should use for development?
Whatever you do, use a language that you know _very_
well. You'll be less likely to make mistakes that way.
mjr.
On Mon, 11 Feb 2002, doc wrote:
Started up the TP with boot1.fs in the drive and am getting
input/output errors.
probably a bad floppy. i went through a short stack of a half dozen to
find one good one for my macppc/netbsd install last week. keep trying.
jose
On 14 Feb 2002 at 16:39, Rasmus Aaen wrote:
Another question about my newly inherited PIX. The following rules confuse
me a bit:
access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 any eq domain
access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 eq domain any
gt
please paste the output of ipfstat -i -h, ipnat -l and
the contens of your ipfrules file, and ipnatrules
file.
Just an FYI, ipnat happens before ipf, so your rules
need to be written post nat.
--- irado furioso com tudo [EMAIL PROTECTED] wrote:
Bruno Fernandes wrote:
note: even
We have a web/database server running on redhat 6.2 and our file and print
box running Samba on Redhat 6.2. They are both on the inside of our
firewall, IPChains running on Red Hat. Currently, for moving information
between the two we use scp, it can be a little clunky, but it works and is
fairly
NMAP and Nessus are always a good place to
start... an outside security consultant who knows what he is doing is generally a
good place to stop...
Wes
Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior
QA Rep.
BMC
Software, Inc.
(713)
918-2412
[EMAIL PROTECTED]
http://www.bmc.com
This is why I do all my ACL edits in notepad and completely remove and
reapply them as needed. At least with the PIX OS 6.1(1) I can do line by
line removes... my routers aren't so fortunate...
Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL
bob bobing wrote:
please paste the output of ipfstat -i -h, ipnat -l and
the contens of your ipfrules file, and ipnatrules
file.
Just an FYI, ipnat happens before ipf, so your rules
need to be written post nat.
hmm.. think that I donot how to do this. Maybe it is the cause of
FYI
http://theregister.co.uk/content/55/24050.html
-Original Message-
From: Marcus J. Ranum [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 12:43 AM
To: [EMAIL PROTECTED]
Subject: Re: Gauntlet
Michael Morgan [EMAIL PROTECTED] wrote:
How many people are still using
I think this will give you something to start:
Assume:
ep0 -- outside
rl0 -- inside
xpto -- dmz
#Block strange packets
block in log quick on ep0 proto tcp all with short #headher to small
#Block source routed packets
block in log quick on ep0 all with opt lsrr
On 14 Feb 2002, at 9:03, [EMAIL PROTECTED] wrote:
the problem in the switch OS (problem of configuration, new vulnerability
on switch OS, ...)
= DMZ without security !!
(Esxuse my english)
Maybe your questions are:
1. If I use a switch in my DMZ, is it okay to allow external in-band
On 14 Feb 2002, at 10:53, [EMAIL PROTECTED] wrote:
I mean a DMZ definied by switch
Well, since switches don't define *anything*, I don't think this
clarification is yet sufficient
DG
___
Firewalls mailing list
[EMAIL PROTECTED]
On 14 Feb 2002, at 10:59, Josh Welch wrote:
Basically what my boss would like to be able to do is write to a
Samba/NFS type share on the file server from the webserver.
In other words, he wants a DMZ that provides little security at
zero cost
My answer to people who needed to do
In other words, he wants a DMZ that provides little security at
zero cost
Exactly, I convince him that we should go to a more secure setup, and he
promptly wants to nullify it. I'm tempted just to tell him that he can have
whatever he wants, as long as he doesn't expect me to put in
Hello,
[EMAIL PROTECTED] wrote:
2. Is it okay to use a VLAN to implement my DMZ, sharing the switch
hardware with my trusted network?
Also no, for two basic reasons:
(a) The VLAN feature is not intended as a security barrier; it may be
subject to compromise.
Care to elaborate on
I dislike seeing a single VLAN switch used for VLANS on different firewall
interfaces - if the switch admin screws up the firewall is bypassed. When
that happens you get the excuse but the hosts don't see the spill over
since they are on a different subnet anyway. Just doesn't give me that
warm
I have a PIX 525 with a DMZ. There's a Windows 2000 workstation in DMZ and it is a
member of the domain in the inside network. However, this Win2000 workstation cannot
logon to the domain because of the PIX firewall, even when I opened the whole IP port
to DMZ. Is there any special port or
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q179442
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
WINDOWS2000/techinfo/reskit/en-us/cnet/cnfc_por_simw.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q280132
Laura
- Original Message
Been there. You really need a syslog server to figure this out. W2k must
have tcp 135 445 123 88 gt1024 and udp 137 139 88 53. The syslog will
tell you exactly what you need. Kiwi makes a very good free one
-Original Message-
From: Fei Yang [mailto:[EMAIL PROTECTED]]
Sent: Thursday,
It would seem to me that allowing a machine on your DMZ to login to your
domain would be a very bad thing.
Josh
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Fei Yang
Sent: Thursday, February 14, 2002 3:57 PM
To: [EMAIL PROTECTED]
Subject:
From SANS:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
quote
Implications
In a default configuration it is possible to inject 802.1q frames into
non-trunk ports on a switch and have these frames delivered to the
From SANS:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
quote
Implications
In a default configuration it is possible to inject 802.1q frames into
non-trunk ports on a switch and have these frames delivered to the
Why yes, yes it is.
-Original Message-
From: Josh Welch [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 4:08 PM
To: [EMAIL PROTECTED]
Subject: RE: Windows domain logon through PIX firewall
It would seem to me that allowing a machine on your DMZ to login to your
domain
Hi,
Anyone out there using Savvis products ?
What do you think ?
--
Maiko Langelaar
Product Engineering Group
SLMsoft.com
Winnipeg, Manitoba, Canada
Tel : 204-786-2656 (ext 439)
Fax : 204-783-8286
Email : [EMAIL PROTECTED]
www : http://www.slmsoft.com
Hello all,
i do
#iptables -t nat -A POSTOUTING -s $localhosts --out-interface
$outif -j SNAT --to-source $real_ip
but my nat connection not stability, i know that problem in Firwall.
WHAT A PROBLEM ? WHY MY NAT CONNECTION NOT STABILITY ? timeout ?
sorry for my english
--
Best regards,
Tsupra
This is a forwarded message
From: painter(eastnet) [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Friday, February 15, 2002, 9:52:19 AM
Subject: iptables SNAT
===8==Original message text===
Return-Path: [EMAIL PROTECTED]
Date: Fri, 15 Feb 2002 09:52:19
According to Josh Welch:
Basically what my boss would like to be able to do is write to a Samba/NFS
type share on the file server from the webserver. My understanding is that
NFS should never be allowed through a firewall, and that Samba is only
marginally better. So, any suggestions?
Well,
- While I don't have a tool handy which generates trunked traffic,
as a cascaded switch would, running such a tool on a compromised host
would allow one to monitor, and inject traffic into, any other VLAN
on the cluster.
Basically, the encapsulation of traffic for multiple VLANs onto a
That is really odd, your ipf.rules file doesn't match
your ipfstat -i -h. I don't see any 192.168.1.89 in
your file, and yet its in your ipfstat table. :/
Well at any rate, your ipf.rules file is a mess. I
would try to rewrite them, Bruno Fernandes has some
great examples (seems to have left out
I'm reworking my home (SDSL) firewall and am thinking about architecture.
Previously, I'd just been running OpenBSD+ipfilter on a Sparc IPX, with
packet filtering and NAT in the same box. Two interfaces, no application-level
proxies. No inbound services, just outbound client stuff.
Recently
Hello all,
i do
#iptables -t nat -A POSTOUTING -s $localhosts --out-interface
$outif -j SNAT --to-source $real_ip
but my nat connection not stability, i know that problem in Firwall.
WHAT A PROBLEM ? WHY MY NAT CONNECTION NOT STABILITY ? timeout ?
sorry for my english
--
Best regards,
Basically what my boss would like to be able to do is write
to a Samba/NFS
type share on the file server from the webserver. My
understanding is that
NFS should never be allowed through a firewall, and that Samba is only
marginally better. So, any suggestions?
I assume that the file
46 matches
Mail list logo