On 3 May 2002, at 15:08, William A Brent wrote:
What is the biggest problem, with or pitfall of software firewalls
that sit on the end user's PC or work station? (meaning products
like ZoneAlarm
A firewall is a policy-enforcement tool. How qualified are your
users to make policy, and
On 19 Apr 2002, at 9:42, Clifford Thurber wrote:
What is IIRC I thought PIX was Finese?
At 06:32 PM 4/18/2002 -0400, Bill Royds wrote:
. IIRC, the PIX OS was developed as ...
IIRC == If I Recall Correctly
DG
___
Firewalls mailing list
On 12 Apr 2002, at 11:15, Clifford Thurber wrote:
So if you assign this firewall a management it is just a
susceptible as any other firewall, so much for being invisible ?
Although it may become possible to find the device with a portscan
(assuming that the configured IP is on a reachable
On 12 Apr 2002, at 9:50, Noonan, Wesley wrote:
-Original Message-
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 07:41
To: Gary Flynn
Cc: [EMAIL PROTECTED]
Subject: Re: Cisco IDS
On Fri, 12 Apr 2002, Gary Flynn wrote:
I'm certainly
On 15 Apr 2002, at 15:56, Ben Nagy wrote:
I'm a young pup, too, and I wouldn't ever use a VLAN in a small
environment where I had the option to use a separate, dumb switch.
If all you're using VLANs for is to slice up a big expensive switch
to behave like several smaller (and MUCH cheaper)
On 7 Apr 2002, at 3:46, aormygod wrote:
Hi all,
I really disagree with the companies, which are setting firewall
to over- control employees' activities in the workplace. It makes
me annoying and feels that it has power over my right even during
the break time. What do you guys think on
On 3 Apr 2002, at 8:29, Brett Eldridge wrote:
On Tue, 2 Apr 2002, Glynn S. Condez wrote:
This linux stands as my router or gateway and below this is my servers.
does it look like this?
link1 link2
| |
\ /
Linux Box
|
On 5 Apr 2002, at 19:49, Bill Royds wrote:
That is a reasonable fit to the term Paul and I were using, if we
consider a screening router a type of firewall, and the one used
in Chapman and Zwicky. Unfortunately (and the reason I asked for
clarification in the original post) others have used
On 29 Mar 2002, at 15:41, Gustavo Ritondale wrote:
which are the best or default policy for input - output - forward chains in
a linux-ipchains firewall or in a general firewall ?
It's preferred a DENY policy and accept only system services or an ACCEPT
policy and deny all services that
On 22 Mar 2002, at 14:38, Brian Guild wrote:
Guys,
What are the advantages of setting up a DNS server on a DMZ
network of the firewall? Why can't I set up a statement which
allows me to run the DNS server from an inside interface?
Thanks,
Brian
Others have already addressed the
The only way this is going to work is if (at least) one of those
firewall router boxes is a PROXY, so that (for instance) all
traffic that arrives via the 60.60.60.60 NATted address is seen by
the server as coming from 100.100.100.60 instead of its true
external address.
This is still
On 12 Mar 2002, at 11:18, james wrote:
I am seeking to use ACL's to block the outbound traffic on private
addresses that many of our remote POP's are producing. Remote POP's
consist of a Cisco router (2500/2600's) and various access servers.
I understand it is better to filter this at the
On 12 Mar 2002, at 23:50, Steve Siegel wrote:
I'd appreciate some input on the safest LAN protocol to use behind
a firewall/router (e.g. Sonic Wall, Zywall). I've read, on Steve
Gibson's site, that netbeui is safe because it's not routed.
Others have said nothing's safe, and they disconnect
On 5 Mar 2002, at 23:01, Tom Sparks wrote:
I recently installed a PIX 525 with dual Gig-E interfaces and I'm
somewhat puzzled by the results I'm seeing, especially since I
didn't see them with 100BaseT (which is what was configured
previously on the same box).
The internal interface is
On 7 Mar 2002, at 0:25, Amarnath Gutta wrote:
Hi All,
I have Private IP's address in my network which I want to conceal
in traceroutes. Say a customer traces to any IP on internet he is
able to map my private network also which I want to prevent. So how
can I hide the private ip's in the
On 5 Mar 2002, at 10:25, John Maestrale wrote:
I guess if it doesn't have a point and click interface you wanna be
engineers don't like it! There is nothing wrong with the PIX firewall.
-Original Message-
32K of unedited list digest snipped
The ways in which the netwcreen and
On 5 Mar 2002, at 9:35, Hudson Delbert J Contr 61 CS/SCBN wrote:
agreed...
-Original Message-
This is, I think, a new low in signal-to-noise, even for this list:
33K of quoted material to add a single word and nearly NO information
at all
DG
On 27 Feb 2002, at 18:39, Ron DuFresne wrote:
On Wed, 27 Feb 2002, Alvin Oga wrote:
[SNIP]
dumb question ...
- why is VPN needed ??? ssh seems to do everything i need
- if its (VPN) for network neighborhood to go browsing...
shoot it/kill it/stomp it (network
On 28 Feb 2002, at 17:30, Gustavo Ritondale wrote:
I have CDN access with 16 ip addresses. (subnet mask 255.255.255.240)
I need a DMZ for servers and NAT for private LAN.
I'll use ipchains firewall with 3 NICs.
Router = xxx.xxx.xxx.209
My question is: Should i divide ( split ) my 16
On 28 Feb 2002, at 13:43, kk downing wrote:
Hello,
I am new to the Cisco VPN Concnetrator(5002). I am a
little confused by the output of the command:
show vpn users
I seem to see duplicate information. There is output
for users, partners, total and then underneath that
there is a
Big whoops.
My reply was entirely in terms of the Cisco 30xx product line, and
on re-reading your message I see that you're asking about a 5002.
Odds are good that my answer was totally irrelevant and useless to
you.
Dave Gillett
On 28 Feb 2002, at 17:06, Clifford Thurber wrote:
On 27 Feb 2002, at 1:39, bob bobing wrote:
The vendor that is connected to the dmz doesn't want
to add routes to my private ips (172.25.x.x) . The dmz
network has a non private addr range ( yes that we
own) on it. This way the vendor only needs to add
routes to the dmz network, and we
On 27 Feb 2002, at 3:42, Alvin Oga wrote:
pptp is not secure enough
i tend NOT to allow vpn internally or from outside
( guess just me being nuts-o )
( ssh-only... from inside or outside...
Guess what: Any user who runs PPP over their SSH session has got a
VPN
On 26 Feb 2002, at 6:51, Dell, Jeffrey wrote:
This is a code issue. With version 3.1 you will be able to do
this, but currently 3.1 is only for the Netscreen-25 and 50.
-Original Message-
From: bob bobing [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 26, 2002 2:04 AM
To:
On 20 Feb 2002, at 16:04, Gulfaraz Khan wrote:
My ISP has blocked the ports for morpheus and kazaa. Is there any
way I can unblock the ports or any other way to get morpheus
connected?
Yes -- take your business to another ISP, and save your current one
the trouble of booting you off.
On 14 Feb 2002, at 9:03, [EMAIL PROTECTED] wrote:
the problem in the switch OS (problem of configuration, new vulnerability
on switch OS, ...)
= DMZ without security !!
(Esxuse my english)
Maybe your questions are:
1. If I use a switch in my DMZ, is it okay to allow external in-band
On 14 Feb 2002, at 10:53, [EMAIL PROTECTED] wrote:
I mean a DMZ definied by switch
Well, since switches don't define *anything*, I don't think this
clarification is yet sufficient
DG
___
Firewalls mailing list
[EMAIL PROTECTED]
On 14 Feb 2002, at 10:59, Josh Welch wrote:
Basically what my boss would like to be able to do is write to a
Samba/NFS type share on the file server from the webserver.
In other words, he wants a DMZ that provides little security at
zero cost
My answer to people who needed to do
- While I don't have a tool handy which generates trunked traffic,
as a cascaded switch would, running such a tool on a compromised host
would allow one to monitor, and inject traffic into, any other VLAN
on the cluster.
Basically, the encapsulation of traffic for multiple VLANs onto a
On 13 Feb 2002, at 18:45, [EMAIL PROTECTED] wrote:
Hello,
I need ask about DMZ
DMZ Architecture : use Firewall and Switch (layer 4) ???
Information about it ?? (Advantage, ...)
Thanks
Using a switch in the DMZ offers essentially the same beneifts as
using one on any other network
On 12 Feb 2002, at 14:36, Marc Sahr wrote:
Huh? How can a hard-coded mac address be changed? It's burned into the
NIC controller chip, and every single network-attached device has a
unique MAC address. I've never heard of being able to change them.
Marc
It's not, typically, read from
On 7 Feb 2002, at 2:16, luis wrote:
Hi, I have been told that in order to keep the different company
departments isolated each other( but everyone accessing
internet), I have to use subnetting. after the reading of some
books and articles, I haven´t found any reference (one indirect
but
On 7 Feb 2002, at 3:06, Alvin Oga wrote:
hi ya luis
for subnets say 4 depts isolated from each other...
a) make sure yoou have a switch.. NOT a hub that ties them together
so that they cannot sniff traffic on the other side...
( a 4-port firewall is good )
Each dept has its
1. NetBEUI is broadcast; NetBIOS is not *necessarily* so.
2. Browsing is not really a NetBIOS thing, and (definitely* doesn't
depend on WINS.
Browsing depends on the client's ability to locate a browse
master on the current segment for its domain/workgroup. If it
can't, it will call for
On 18 Jan 2002, at 10:32, Paul Robertson wrote:
How do you account for the (unfortunately) numerous IT
professionals who engage in malicous activity?
This used to be a mystery to me, too. Now that I've been laid off
so long my UI has run out, I occasionally find myself trying to dream
On 16 Jan 2002, at 15:48, Maung, Than Contractor wrote:
I'm trying to set up a Cisco VPN 3000 box using NT domain authentication and
having some problems.
Problem 1.
When I configured PPTP encryption required on the VPN box, I will get an 691
error User name/ password wrong message.
On 14 Jan 2002, at 17:45, Bruno Negrão wrote:
Hy all,
I'm using a linux firewall with two ethernet interfaces + iptables
+ masquerading (for windows clients) + NAT 1:1 (for application
servers).
My external interface, eth0, has 3 ip adresses (ip aliasing)
destined to make 1:1 NAT for 3
On 12 Jan 2002, at 13:54, garentsen wrote:
Hi all!
not sure whether this is the right group for firewall issues in
Linux but here goes:
I've got two ISP's providing me with 10 Mbit and 3 Mbit internet
access at home. I would like to set up my Linux (or any other OS)
firewall to
On 15 Jan 2002, at 19:55, Paul D. Robertson wrote:
Many folks aren't security professionals, they're people
stuck doing a job they don't have a great grasp of, ...
IF they would go do something they're good at, maybe *I* could have
their job
DG
I believe what the NetScreens do is, by this definition, pre-shared
keying.
The extra wrinkle here is that NetScreen allows you to enter the
key in hexadecimal, or enter a password from which it will generate
the necessary key. (It is easier to transmit such a password over
the phone, or
The From: address is easily faked, and the spammer doesn't care
whether it's real or not, as long as (a) it looks plausible, and (b)
*he* doesn't get the bounces.
Both messages came from a machine calling itself mx.port.ru --
but at different IP addresses. You could hunt down the ISPs
On 10 Jan 2002, at 16:57, Luke Butcher wrote:
Brazil seems to be making inroads into the top ten list of favoured
havens of script kiddies, and their compromised boxen.
When I tried black-holing Brazil, one of my co-workers complained
that she could no longer email with her family back
On 20 Dec 2001, at 13:58, Barak Engel wrote:
I do want to address another comment about WebEx being a trojan
(you knew I would :-). Basically, this is like saying that any
sharing feature is like a trojan. WebEx isnt any worse - and is
indeed better in some senses - than a host of programs,
On 19 Dec 2001, at 8:44, Daniel Crichton wrote:
On 18 Dec 2001 at 16:29, Brian Ford wrote:
And Kiwi supports PIX TCP Syslog too!
I personally will never touch TCP syslog with the PIX - I once had
my syslog server run out of disk space and the PIX shut down.
Check the release notes for
On 15 Dec 2001, at 19:13, Chance Ellis wrote:
I am new to this list so please excuse me if this has
been asked. I did a few searches that didn't turn much
up.
This is an RFC on which solution would be better. I
understand things like current infrastructure may have
an impact and of
On 14 Dec 2001, at 16:48, Aaron Jongbloedt wrote:
here ya go...this should explain mo better what i am trying to say
current:
web.server--|
real ip#1 |
|---firebox/firewall
mail.server--|
real ip#2
proposed:
On 14 Dec 2001, at 10:14, Michael Zhao wrote:
Ok . I am sorry . I send you the detail info .
Thanks.
Just to confirm -- When you say A can ping B, but B can't ping A,
that's pinging by IP address, right? I notice that you have neither
DNS nor WINS enabled, nor WINS proxying, so I'm
On 13 Dec 2001, at 15:54, Suleyman Kutlu wrote:
Hi everybody.
The question below may seem to you stupid, but I am not an expert on RPC
stff.
In on of our customers, I have two machines running softwares communicating
eachother via RPC. One of the machines is on Intranet (secure network)
On 6 Dec 2001, at 12:16, Paul Robertson wrote:
On Wed, 5 Dec 2001, Richard Saddington wrote:
The point I was hoping to get feedback on was altering an existing rulebase
to incorporate changes in an organisations security policy. Should the whole
rulebase be reworked or can extra rules
... which you already noted.
But observe that, unlike the #5/#7 pair,
Global 172.16.28.4 Local 10.2.0.4 static nconns 1 econns 0 flags s
Global 172.16.28.5 Local 10.2.0.5 static nconns 0 econns 0 flags s
Global 192.168.0.6 Local 10.2.0.5 static nconns 0 econns 0 flags s
there's
On 4 Dec 2001, at 10:39, Rick Brown wrote:
This is a little off topic but I thought you guys would be the
one's to ask. I only have a mail server and a web server (for
web-based email access) in my DMZ. Do I have to have a DNS server
in the DMZ or can I just use my ISP's DNS? I have an
On 4 Dec 2001, at 17:50, Anup Manjrekar wrote:
Dear ALL,
Two questions.
1. Could someone tell me how do i block Napster on my Sonicwall
PRO Firewall?
Wrong approach. The right way to do this is to block everything,
and then unblock the things that your network policy says you
On 4 Dec 2001, at 12:00, Rick Brown wrote:
I guess I'm just over-thinking it! So what's the most secure way
of allowing my internal DNS to query the ISP's DNS for internet
address resolution? The internal DNS server is W2K.
Well, the only reason that an internal client would ask the
On 28 Nov 2001, at 13:56, Kent Hundley wrote:
If users on Comcast could not connect to your 30xx series box, the
only way that they could have been blocking this traffic would have
been either blocking packets with your VPN box as the dst IP
(unlikely), or blocking some or all of the UDP
Our Cisco 30xx *did* NAT transparency. Our users behind NAT had no
trouble connecting to it.
Our user on ComCast could not establish a connection to it. Their
AUP said their users couldn't use VPNs, and they configured their
network to try to prevent it -- successfully, in the case of
On 28 Nov 2001, at 11:49, Dave Horsfall wrote:
On Tue, 27 Nov 2001, Ron DuFresne wrote:
Has anyone else noted the disparagingly high frequency of this html crap
leaking to this text based list as of late:
Yeah; one day I'm gonna start dropping HTML mail on sight...
I have a buddy
On 23 Nov 2001, at 16:06, Jun Zhu wrote:
BTW, I am not a malicious employee, I just hate the
restrictions and untrusted.
You're not *malicious*, you just want to violate your employer's
network policy
My recommendation: If you want to do stuff your employer doesn't
allow, do it
I believe it was actually ComCast, a reseller of @home cable
service. I believe they block GRE and perhaps also ports used by
IKE; this has nothing to do with NAT.
They also clearly include VPN usage as prohibited by their AUP,
along with bandwidth reselling and other commercial uses. So
On 10 Nov 2001, at 13:57, Bernd Eckenfels wrote:
I have a question concerned with VLAN (Trunk Ports). Do you made
some basic research on available VLAN Switches. Are those
implementations secure to single out virtual LANs, or are those
vulnerable to attacks?
Instead of using a VLAN and a
One of the things that I liked about it was the ability to
authenticate against our production domains.
That typically meant that our users could boot and authenticate
locally for local operation, and were only forced to connect to the
VPN and authenticate against the network domain when
On 24 Oct 2001, at 20:43, Kuff, Hal wrote:
How does one go about using two isp's with a Pix and a gateway
router and insure packets coming in from ISPA go back to ISPA
rather than ISPB?
There's no *general* way to do this; BGP is about as close as it
gets, and I don't think the PIX
One of two things is true:
1. Your email server is misconfigured. Any blacklist service worth
worrying about will gladly point you to resources which explain how
to correct this. The issue is at the mail server level, and it is
really not appropriate to try to fix this with a
I believe it will depend on the configuration of your internal DNS
server(s).
As I understand it (it has been a little while), your DNS server
has a choice of making the request on the workstation's behalf, and
sendding back the response when it arrives, or telling the
workstation to
Any other ideas?
I'd be tempted to put a router behind the PIX, for a couple of
reasons; in this case, it happens to give you somewhere you *know*
you can put the ARP statement. (Well, actually, since I would put
these servers in a DMZ, there'd need to be a router *there* for
On 21 Sep 2001, at 10:30, [EMAIL PROTECTED] wrote:
If you are looking for clues about incoming packets, also look at
the source address. We seem to have a lot of packets which use a
well-known in source port to attempt to evade simple packet filters
that allow established conections on
I see 172.165.x.x addresses spoofed (probably by accident, by
people who meant to type 172.16.x.x) that if this were connectionless
traffic, I wouldn't leap to blame AOL for it. But having an
established TCP connection makes it much more likely that this really
is from them
DG
On 11
On 12 Sep 2001, at 16:00, Volker Tanger wrote:
Greetings!
Johnston Mark schrieb:
I have set up a PIX firewall with VPN capabilities. Everything seems
to be working except for WINS. I dont want to go through the whole
configuration, but I'm calling on anyone that has run into the same
Somebody is trying to send email to your system, but the hostname
that they are supplying in the HELO command, when resolved via DNS,
is returning a different IP address. Your IDS is reporting the
mismatch as an attempt by the sending machine to impersonate (spoof)
the source email
On 8 Sep 2001, at 22:41, Paul D. Robertson wrote:
Some switches will still broadcast packets when their buffers
start to get saturated, or if they get too many entries in their
ARP tables- if you really need seperation, then things should be
physically seperated and routed (per-port costs go
On 10 Sep 2001, at 14:24, Paul Robertson wrote:
On Mon, 10 Sep 2001 [EMAIL PROTECTED] wrote:
On 8 Sep 2001, at 22:41, Paul D. Robertson wrote:
Some switches will still broadcast packets when their buffers
start to get saturated, or if they get too many entries in their
ARP
On 10 Sep 2001, at 17:10, Paul Robertson wrote:
I'm a huge fan of buying more small routers and dumb hubs if
possible rather than switches, because I really, really, really
like layer 3 seperation- I think it provides significant
protection, which is why you'll often see me ranting about
It's pretty clear that local network policy is to provide Internet
access only to authorized users. Any hack that lets you bypass
this policy is probably both (a) a policy violation itself, and (b) a
bug which may be fixed by installation of a newer FW-1 version.
Therefore, your
On 11 Jul 2001, at 9:32, simon chan wrote:
Hi list,
I have lots of error like the one below,
The description for Event ID ( 1 ) in Source ( FW1 ) cannot
be found. The local computer may not have the necessary
registry information or message DLL files to display
messages from a remote
The thought of combining VPN with transparent mode makes my
poor little brain hurt. It wouldn't surprise me if that combination
turned out to be not (yet?) supported
David Gillett
On 9 Jul 2001, at 18:05, Henrik Grankvist wrote:
Hello!
I'm having some trouble getting a vpn
I doubt that any 1005 hardware solution exists today, and I'm not
certain that such a thing, if possible, is necessarily desirable or
useful.
I think a more typical taxonomy divides the field into:
1. Hardware: Dedicated devices/appliances. Technically, this would
include both
I have not seen any significant impact on bandwidth. The quick
discovery thing seems to happen about twice a day, on average.
I *have* seen other difficulties. Like PCanywhere, also a Symantec
product, this discovery code assumes that all of your address blocks
are entire class B/C
Enabling promiscuous mode with the standard NT Network Monitor is a
not-officially-documented registry hack.
The SMS version allows you to view Network Monitor data being
collected on/by other machines.
David Gillett
On 19 Jun 2001, at 10:49, Paul Murphy wrote:
As I recall, the
On 22 Jun 2001, at 11:58, Truman Boyes wrote:
FTP being the worst, security wise, of protocols, you are correct. I would
not trust a packet filter to handle the deed, but depending on what you
are trying to accomplish it may suffice. Some routers (cisco, others) do
support software features
I'm baaak...
On 14 Jun 2001, at 14:55, mouss wrote:
At 14:24 13/06/01 -0400, Michael T. Babcock wrote:
And without IOS source, that would certainly be... challenging...
I quite agree.
I disagree ... many, many buffer overflow exploits in closed-source
software packages
Well, from a firewall perspective, 1-65535 are all about equally
vulnerable.
A handful of ports may offer compelling business reasons why the
risk must be taken. Sometimes the risk can be mitigated by
restricting the addresses that may use the port.
IOf you don't know what a port is
Well, if your pipe to the Internet is a T1 (1.54Mbps), you won't
see any difference between 10Mbps and 100Mbps interfaces on your
firewall. But the -100 also adds things like load balancing that you
might have a need for
I haven't had a chance to try out PIX v6.0 yet, but the
Well, at ~$20,000, the Cisco 7206 VXR router was competitive with
the alternative, an HSSI *interface* for our Cisco 3660 router.
(These were, however, to handle a DS-3, burstable up to 45Mbps.)
Good networking equipment that handle lots of bandwidth carries
pricetags. Yes, you can
You haven't really given us much to go on -- no clue what the
address range is, whether there are other machines on it, what
make/model/version VPN it is, whether it's being used to provide site-
to-site connectivity or remote individual connectivity. Not even
what the geographical region
Okay, thanks!
So, if J Random Prober were to try to ping any address in your
range on that link, he'd see no machines there. (The only populated
addresses are the router interface and the IPSEC box, and with your
ACLs he shouldn't see those either.)
Then, so far as he's concerned,
Thanks, Richard! I have no trouble opening the copy you sent.
The last paragraph on page i sounds like too many organizations
I've worked with -- the folks who understand the risks draft policy
recommendations and forward them to those with the authority to
promulgate them (and who often
The obvious way to avoid the DNS issue is to have a static
address for the client to find the server, and then hand the built
connection off to the thing that shuffles IPs.
Of course, that static address becomes the obvious target for, if
not intrusions, DoS attacks, and *if this is in
If you can use 192.168.5 instead of .3, you could get away with
plugging all of the DMZ equipment, including both sides of the load-
balancer, into a single segment, and use a 23-bit subnet mask. Or
renumber 192.168.4.n as 192.168.3.n+m
That assumes that the load-balancer can cope
Anyone have any ideas/suggestions as to what other steps could be
done?
Disallow SMTP connects *to* (as opposed to *through*) their
firewall? You did seem to indicate that it is the firewall that is
being used to relay, not the server
Of course, it's possible that what they
Could you tell us a little about your needs? i.e., do you need
anything the NetScreen-100 does that the -10 doesn't do? WHy a PIX
515 and not 520?
The real question shouldn't be which is best? but which is best
for your needs and/or budget?
David Gillett
On 13 Jun 2001, at 8:32, Paul
On 13 Jun 2001, at 14:24, Michael T. Babcock wrote:
And without IOS source, that would certainly be... challenging...
I quite agree.
I disagree ... many, many buffer overflow exploits in closed-source
software packages have been discovered by trial and error, without
any use of
Technically, it means the program counter got an illegal address
in it.
One of the ways this could happen is via a buffer overflow, which
may potentially be exploitable (although exploiting it will be much
harder than making it bus error).
David Gillett
On 12 Jun 2001, at 12:59, Dave
There are a couple of different ways to implement traceroute, and
some may use IP protocols such as ICMP that do not use port numbers.
However, the ones that *do* use, as I recall, 32768+666+n, where n
gets incremented as necessary. So if you're watching a traceroute go
by, you're likely
So David how do you create a buffer overflow condition on this
router? Hmm?
Send an oversize packet to one of its interfaces, I expect, just as
one does with any other kind of net-connected computer.
And Dave which counter got a bad value?
If you've *ever* worked at the
Traceroute sends a series of packets with the same destination
address, gradually increasing the TTL, and watches for TTL expired
responses from routers. But it will only wait so long for a response
before sending the next probe, so it needs some way to distinguish a
response to the
It's a C O M P U T E R.
It runs software (IOS); that software could have bugs or
compromises.
The primary function of that software is to receive and forward
packets intended for other machines, and to do reasonable things with
packets that cannot, for some reason, be forwarded.
It's
Some of the components of my bandwidth are leased; others, such as
the router's CPU cycles, are not. At best, I think leasing might
change Who is considered the victim, not whether there is a crime --
I guess it could depend whether I get billed for the borrowed
bandwidth or not
David
All I get is a blank page. Is that the joke, or do I need to
update my Acrobat Reader software?
In general, when people post links on mailing lists, I consider it
reasonable for them to attach a one- or two-line synopsys, not just
Look at this!
David Gillett
On 12 Jun 2001, at 9:46,
Do you allow connections directly *to* the external interface? Can
you get away with disallowing them?
If you had a sniffed record of the traffic just before the crash,
it might be possible to tell. If it keeps happening, I'd put a
sniffer on and look for traffic destined for that
On 13 Jun 2001, at 9:43, Dave Horsfall wrote:
On Tue, 12 Jun 2001 [EMAIL PROTECTED] wrote:
Technically, it means the program counter got an illegal address
in it.
One of the ways this could happen is via a buffer overflow, which
may potentially be exploitable (although
We're in total agreement then. I just wanted to clarify that the
egress filtering by ISPs has to be at the end-user portions of their
networks, not (necessarily) the exits from their networks at peering
points.
David Gillett
On 10 Jun 2001, at 9:59, Paul D. Robertson wrote:
On Sun, 10
1 - 100 of 159 matches
Mail list logo