Yes, I know what you mean...similar to VPN default filter generation on IP Passthrough. Perhaps it was like this to begin with so people without a clue could create a tunnel then default filter set and be running. I agree with you on how it should be generated though.
On Mon, 31 Jul 2000 08:38:18 -0400, you wrote: >--------------------- Attention ----------------------------- >Online GNAT Box User Forum is Now Open >Click the Register link and sign up today >http://www.gnatbox.com/cgi-bin/Ultimate.cgi >------------------------------------------------------------- >Send postings to: [EMAIL PROTECTED] >Access the list archives at: http://www.gnatbox.com/gb-users/ >------------------------------------------------------------- >The point is that I *DID* look my configuration over, but missed >this. Normally I leave those filters in the configuration, but >disable them. > >My point is that with a simple change, the Default Filter set >could be made to err much more on the side of blocking too >much (which is usually discovered an corrected quickly, as it >tends to be very obvious in testing) rather than erring on >the side of being too promiscuous, which is much more likely >to be missed, and has much more serious consequences. > >Mike Burden >Lynk Systems >(616)532-4985 >[EMAIL PROTECTED] > > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >Sent: Sunday, July 30, 2000 12:54 PM >To: Chris Green >Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: Re: DEFAULT: Allow all networks to access inbound tunnel > > >If you create a tunnel there is a checkbox to allow all, however, you >have to check it. If you generate default filter set after you create >a tunnel it will make a filter for the tunnel you created. However, >you should never rely on a default filter set and you should have at >LEAST looked them over. We all make mistakes...hopefully your >customer will understand. > >On Fri, 28 Jul 2000 20:35:30 CDT, you wrote: > >>--------------------- Attention ----------------------------- >>Online GNAT Box User Forum is Now Open >>Click the Register link and sign up today >>http://www.gnatbox.com/cgi-bin/Ultimate.cgi >>------------------------------------------------------------- >>Send postings to: [EMAIL PROTECTED] >>Access the list archives at: http://www.gnatbox.com/gb-users/ >>------------------------------------------------------------- >> >>None of my Gnatboxes have this filter you speak of. >> >>Chris Green >> >> >>>From: "Michael W. Burden" <[EMAIL PROTECTED]> >>>To: <[EMAIL PROTECTED]> >>>Subject: DEFAULT: Allow all networks to access inbound tunnel >>>Date: Fri, 28 Jul 2000 18:03:24 -0400 >>> >>>--------------------- Attention ----------------------------- >>>Online GNAT Box User Forum is Now Open >>>Click the Register link and sign up today >>>http://www.gnatbox.com/cgi-bin/Ultimate.cgi >>>------------------------------------------------------------- >>>Send postings to: [EMAIL PROTECTED] >>>Access the list archives at: http://www.gnatbox.com/gb-users/ >>>------------------------------------------------------------- >>>Dangit, dangit, dangit! >>> >>>I missed disabling one of those "DEFAULT: Allow all networks to >>>access inbound tunnel" filters. Someone port scanned the Customer, >>>and now I look like an idiot. >>> >>>Can anyone see ANY reason for those filters now that the GNAT Box >>>has the check-box to create one when you create the tunnel? >>>At the very least, I think they should be disabled by default! >>> >>>If I wanted an Accept Any/All filter, I would have checked the box >>>for it when I created the tunnel! If I didn't check the box, >>>don't give me an Accept Any/All filter I didn't ask for!! >>>(Whatever happened to the "anything not explicitly allowed is >>>denied" mentality? If I make a mistake I want the GNAT Box to >>>err on the side of too much security, not too little!) >>> >>> >>>Mike Burden >>>Lynk Systems >>>(616)532-4985 >>>[EMAIL PROTECTED] >>> >>>---------------------------------------------- >>>To Unsubscribe: send mail to [EMAIL PROTECTED] >>>with "unsubscribe gb-users your_email_address >>>in the body of the message >> >>________________________________________________________________________ >>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com >> >>---------------------------------------------- >>To Unsubscribe: send mail to [EMAIL PROTECTED] >>with "unsubscribe gb-users your_email_address >>in the body of the message >---------------------------------------------- >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe gb-users your_email_address >in the body of the message
