Kenneth Jacker wrote:
I've been trying to get remote printing between two RH7.2 systems to
work with /iptables/. I've tried various combinations allowing ports
515 and 721:731, but it still doesn't work.
If I open up *all* destination ports (boo!) coming from the remote
printing machine
On Tue, 2002-02-19 at 07:49, Danny Zak wrote:
Dear users;
we are trying to lookup some information about which distr. to use for
this linux ipchains, filters, nats.. ?
i saw freebsd popping up all the time; is this stabler; faster; or different
(in which way?); or limited ? in
On 19 Feb 2002 at 08:49 +0100, Danny Zak wrote:
we are trying to lookup some information about which distr. to use
for this linux ipchains, filters, nats.. ?
The one you know best and therefore are able to strip from all
unneeded things and really understand and control what it does.
If you
hiya danny
even linux... is either bsd style or att style
/etc/rc.d/init stuff is a common difference
bsd style printer daemon/setup ...
where you(they) put files in /var/www or /home/httpd makes no
difference .. just move it to where you like it
for firewalls... how
Danny Zak wrote:
Dear users;
we are trying to lookup some information about which distr. to use for
this linux ipchains, filters, nats.. ?
i saw freebsd popping up all the time; is this stabler; faster; or different
(in which way?); or limited ? in comparision to a linux (redhat) distr
On Tue, 19 Feb 2002, Danny Zak wrote:
we are trying to lookup some information about which distr. to use for
this linux ipchains, filters, nats.. ?
For Linux, there are plenty of hardening projects which produce a lot of
security tools. You can also do a fair to good ammount of hardening
On Tue, 19 Feb 2002, Martin Peikert wrote:
It's not the OS that will solve your problems. The security of an OS is
dependend of the ability and knowledge of it's administrator. If you are
It's also dependent on its codebase (size, complexity, design,
implementation.)
more familiar with
we are trying to lookup some information about which distr. to use for
this linux ipchains, filters, nats.. ?
i saw freebsd popping up all the time; is this stabler; faster; or different
(in which way?); or limited ? in comparision to a linux (redhat) distr ?
as system op; i'm more
For a long time I steered clear of xBSD in favor of Linux ... Call it a bad
habit or an initial experience loading FreeBSD on a machine years ago.
Several months ago, I needed to install a small and light firewall with VPN
capability. Reluctantly, I went to OpenBSD 3.0. What a shock!
My target
Paul D. Robertson wrote:
On Tue, 19 Feb 2002, Martin Peikert wrote:
It's not the OS that will solve your problems. The security of an OS is
dependend of the ability and knowledge of it's administrator. If you are
It's also dependent on its codebase (size, complexity, design,
Hello,
am i thinking things in the wrong direction. I hope someone of you can
give me a hint/advice.
We are using a pix with lets say three interfaces. One interface connects
the pix to the outside (x.x.x.x), the other connects to a perimeter
network p1 (y.y.y.y) and the third connects to the
Hello,
am i thinking things in the wrong direction. I hope someone of you can
give me a hint/advice.
We are using a pix with lets say three interfaces. One interface connects
the pix to the outside (x.x.x.x), the other connects to a perimeter
network p1 (y.y.y.y) and the third connects to the
On Fri, 15 Feb 2002, Reckhard, Tobias wrote:
:Instead, I'd use rsync with SSH as transport to automatically push the
:necessary portions of the file system from the internal file server to the
:DMZ server and configure the latter to use the local copies. Rsync is better
:than scp here, because it
On Tue, 19 Feb 2002, Martin Peikert wrote:
On Tue, 19 Feb 2002, Martin Peikert wrote:
It's not the OS that will solve your problems. The security of an OS is
dependend of the ability and knowledge of it's administrator. If you are
It's also dependent on its codebase (size, complexity,
On Tue, 12 Feb 2002, Kent Hundley wrote:
:3) Don't give users root or Administrator access to their machines. This
:should keep them from changing IP addresses. (course, they can always break
:into the machine)
if they have physical access, breaking in tends to just mean reboot.
:3) Hard-code
On Sun, 17 Feb 2002, Kevin Steves wrote:
agreed, rsync over ssh is a good and a fairly common way to push data from
inner to more outer security perimeters. in addition to the ssh server
configuration, careful use and configuration of the authentication agent
may make it reasonable to do
You will need to add a line or lines to your p1 access-list to permit
the connections you wish to allow. For example:
access-list p1 permit tcp y.y.y.y 255.255.255.0 any
or being more restrictive:
access-list p1 permit tcp y.y.y.y 255.255.255.0 any eq www
HTH
Glenn
-Original
Hello,
am i thinking things in the wrong direction. I hope someone of you can
give me a hint/advice.
We are using a pix with lets say three interfaces. One interface connects
the pix to the outside (x.x.x.x), the other connects to a perimeter
network p1 (y.y.y.y) and the third connects to the
Hi
2 questions
I have a Cisco PIX firewall, I need to save the syslogs which are
generated
through the PDM log
Question1, is there a syslog server software available for microsoft
Question 2, I need to find a manual for the Cisco PIX firewall, any web
sites, you could suggest.
Thanx
Lets bury this horse already.
If users violate your AUP let your HR dept handle it. Unless of course you don't have
anything better to do..
M
Kevin Steves [EMAIL PROTECTED] 02/17/02 08:14PM
On Tue, 12 Feb 2002, Kent Hundley wrote:
:3) Don't give users root or Administrator access to their
On Tue, 19 Feb 2002, Paul D. Robertson wrote:
[SNIP]
The OBSD work really has more relevence in servers than firewalls, as most
of the exploited services shouldn't be running on a firewall in the first
place. Other than the ICMP kernel bug recently, there's not much that
should
download the 3com syslog daemon from their website . It also includes a tftp
server and client as well as an FTP server all rolled into one nice
package. And its free - my favorite color the file name is 3cdv2r10.zip
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
On Tue, 19 Feb 2002, Paul Robertson wrote:
: agreed, rsync over ssh is a good and a fairly common way to push data from
: inner to more outer security perimeters. in addition to the ssh server
: configuration, careful use and configuration of the authentication agent
: may make it reasonable to
Hi all, I´m stuck with a cisco router 761. I´ve been diving into cisco
web, registered (without support contract), searching for its IOS(4.3.1 I
think) and I only found manuals and references. Could anyone tell me
where/how to get the image for europe(net3)?.
Thank you very much
luis
hi,
i recently installed a mailserver for linux 7.2 . Am using sendmail
8.11.2/8.11.6. Everything works well as far as smtp is concerned, the
main problem is pop3, in that most of the users have constant
disconnections while retrieving mail.The problem is the mail is
deleted from the
I want to make sure I understand this correctly. You have no support
contract and you want the people on this list to help you download an
*illegal* copy of the IOS. Do I understand you correctly, or am I confused?
If I understand you correctly, sorry I can't help you.
Wes Noonan,
Unless the pop3 software has some sort of process to do this, the
deletion of messages from the server occurs via the user's MUA.
- Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of patrick
Sent: Monday, February 18, 2002 3:58 AM
To: [EMAIL
I don't believe that is a setting on the server. The client takes care
of that. A POP3 client will do a LIST and then attempt to RETRieve what
is listed. And then DELEtes each message individually.
A while back, when doing Internet support for an ISP, we used to come
across similar problems.
On Tue, 19 Feb 2002, Kevin Steves wrote:
:If you're using SSH, you should make every attempt to restrict the daemon
:to accepting version 2 of the protocol *only*.
why?
v2 is a good protocol.
:The v1 fallback stuff will
what v1 fallback stuff?
Most sshd programs (including OpenSSH)
You're just looking for the image? Are you a registered Cisco user?
You should be able to find the images you want under their software
section.
- Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Luis Blecua
Sent: Monday, February 18, 2002 3:47 AM
On Mon, 18 Feb 2002, Luis Blecua wrote:
Hi all, I´m stuck with a cisco router 761. I´ve been diving into cisco
web, registered (without support contract), searching for its IOS(4.3.1 I
think) and I only found manuals and references. Could anyone tell me
where/how to get the image for
On Tue, 19 Feb 2002, Paul Robertson wrote:
: :If you're using SSH, you should make every attempt to restrict the daemon
: :to accepting version 2 of the protocol *only*.
:
: why?
:
:v2 is a good protocol.
agreed. you are implying that v1 is bad. this is false.
: :The v1 fallback stuff will
:
I believe he is looking for CBOS software, which is provided free by
cisco. At least it was a few months ago to patch the embedded IIS
exploits.
On Tue, 19 Feb 2002, Paul Robertson wrote:
On Mon, 18 Feb 2002, Luis Blecua wrote:
Hi all, I´m stuck with a cisco router 761. I´ve been diving
On Tue, 19 Feb 2002, Kevin Steves wrote:
[snip]
i'm glad we got to the details rather than broad handwaving. protocol 1
does have weaknesses, however it is not horribly broken as you say, and
its support in OpenSSH has hastened the migration to protocol 2 by
permitting people to better
folx,
if, indeed, that's what he's discussing, relatively recent (although not
absolutely current) images are available for download at:
http://www.qwest.com/dsl/customerservice/modemsupport.html
t.
On Tue, 19 Feb 2002, [EMAIL PROTECTED] wrote:
Date: Tue, 19 Feb 2002 15:04:33 -0500 (EST)
On Tue, 19 Feb 2002 [EMAIL PROTECTED] wrote:
I believe he is looking for CBOS software, which is provided free by
cisco. At least it was a few months ago to patch the embedded IIS
exploits.
According to the Cisco advisory, CBOS is for a 600-series product (with
upgrades available by
On Tue, 19 Feb 2002, Bill Royds wrote:
The one reason I have been given to not enforce V2 only is support for ssh clients.
One of the most common open source SSH clients is Teraterm and it does not have a
SSHv2 version.
see http://www.zip.com.au/~roca/ttssh.html.
Without SSHV2 clients,
Hello,
We have a very small network with three IPs from our
DSL provider. We currently have one legal IP as the
public interface on our PIX, and we use PAT for a
second address so that all machines on the private
10.0.0.0 network can use to get out to the internet.
We just purchased a third NIC
secureCRT also supports version 2, and I recall a number of other windows
clients supporting version 2 on the windows platform, I did a pretty
through search on this for nortel a year and a half ago, trying to get
them to move to version 2 back then, just after version 1 was finally
accepted for
Hi all,
There are some free and/or commercial products that supports the SSH v2:
http://www.vandyke.com/
http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html
Personally I favor the Van Dyke SSH client whenever using Win32 platforms.
Best regards,
Thomas Syrstad
Trustix AS
Paul
Paul Robertson wrote:
[...]
[1] Critical enough to need, critical enough to have supported, I'm also
not sure if anyone's Cygwin'd the OpenSSH v2 stuff yet- I don't run the
Windows virus ;)
OpenSSH on Windows:
http://www.networksimplicity.com/openssh/
--
Dennis
The one reason I have been given to not enforce V2 only is support for ssh clients.
One of the most common open source SSH clients is Teraterm and it does not have a
SSHv2 version.
see http://www.zip.com.au/~roca/ttssh.html.
Without SSHV2 clients, systems can't use SSHV2 servers.
-Original
[1] Critical enough to need, critical enough to have
supported, I'm also not sure if anyone's Cygwin'd the OpenSSH v2 stuff yet- I
don't run the Windows virus ;)
for the record, (i am forced to use NT at work) i use cygwin with openssh 2.9.2p2
and it seems to work fine (with both v1 and
I use SecureCRT myself but I have to support clients who are not willing to pay for
commercial products. Since TeraTerm still works for most people, they will continue to
use it.
Anyone know of a good strategy to weed people away from obsolete tools without
actually hurting them?
hi ya dennis
a new link/product... cool...
its added to the list
http://www.Linux-Sec.net/SSH ( bottom section for windoze apps )
thanx
alvin
On Tue, 19 Feb 2002, Dennis Dai wrote:
Paul Robertson wrote:
[...]
[1] Critical enough to need, critical enough to have supported, I'm also
Well,
Normally clients (customers) will start using another free software (i.e. Putty)
that meets the requirements for your new security policy.
Clients normally understand this, if you explain them that you have to do
it for the purpose of being pro-active when it comes to security...
Best
Well, just say thanks to all who helped me with info and advices, specially
Jim Munroe.
luis
___
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Title: ipf
Hi !!!
I have a question to the list regarding ipf, i am currently using OBSD as my home Firewall, but as i read the examples and the man i still don't understand how does ipf reacts to a synflood, i have already read something about that regarding iptables, a limit that prevents
At 03:02 PM 2/19/2002 -0800, [EMAIL PROTECTED] wrote:
Message: 6
Date: Tue, 19 Feb 2002 13:01:50 -0800 (PST)
From: kk downing [EMAIL PROTECTED]
Subject: Cisco PIX DMZ with PAT ?
To: [EMAIL PROTECTED]
Hello,
We have a very small network with three IPs from our
DSL provider. We currently have one
ooh errr how do you get around this then:
In the PIX until the last version (6.1.1) it is not
possible to use a static mapping with the same address
as a global pool ?
--- Bruno Fernandes [EMAIL PROTECTED]
wrote:
Hi !!!
1.
You should use the third IP to your mail server and
make
I will be out of the office starting 18/02/2002 and will not return until
25/02/2002.
I will respond to your message as soon as I have a chance to pick up your
mail.
___
Firewalls mailing list
[EMAIL PROTECTED]
Title: RE: Cisco PIX DMZ with PAT ?
Hi !!!
1.
You should use the third IP to your mail server and make something like this
static(dmz,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 max_conn embryonic_limit
for mapping the private IP of the mail server wich will live in the DMZ to the
According to Paul D. Robertson:
. NetBSD used to have the fastest networking code,
I thought that was FreedBSD that actually had the fastest networking.
NetBSD is noted for having the broadest range of supported platforms -
great pains are taken to make NetBSD as portable as possible.
Hi,
You are already using one global pool for one public IP so now you can't do
the static mapping with the mail server.
Hence u have to use another public IP and NAT.
Regards
Vishal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of kk downing
Sent:
54 matches
Mail list logo