The point is that I *DID* look my configuration over, but missed this. Normally I leave those filters in the configuration, but disable them.
My point is that with a simple change, the Default Filter set could be made to err much more on the side of blocking too much (which is usually discovered an corrected quickly, as it tends to be very obvious in testing) rather than erring on the side of being too promiscuous, which is much more likely to be missed, and has much more serious consequences. Mike Burden Lynk Systems (616)532-4985 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 30, 2000 12:54 PM To: Chris Green Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: DEFAULT: Allow all networks to access inbound tunnel If you create a tunnel there is a checkbox to allow all, however, you have to check it. If you generate default filter set after you create a tunnel it will make a filter for the tunnel you created. However, you should never rely on a default filter set and you should have at LEAST looked them over. We all make mistakes...hopefully your customer will understand. On Fri, 28 Jul 2000 20:35:30 CDT, you wrote: >--------------------- Attention ----------------------------- >Online GNAT Box User Forum is Now Open >Click the Register link and sign up today >http://www.gnatbox.com/cgi-bin/Ultimate.cgi >------------------------------------------------------------- >Send postings to: [EMAIL PROTECTED] >Access the list archives at: http://www.gnatbox.com/gb-users/ >------------------------------------------------------------- > >None of my Gnatboxes have this filter you speak of. > >Chris Green > > >>From: "Michael W. Burden" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Subject: DEFAULT: Allow all networks to access inbound tunnel >>Date: Fri, 28 Jul 2000 18:03:24 -0400 >> >>--------------------- Attention ----------------------------- >>Online GNAT Box User Forum is Now Open >>Click the Register link and sign up today >>http://www.gnatbox.com/cgi-bin/Ultimate.cgi >>------------------------------------------------------------- >>Send postings to: [EMAIL PROTECTED] >>Access the list archives at: http://www.gnatbox.com/gb-users/ >>------------------------------------------------------------- >>Dangit, dangit, dangit! >> >>I missed disabling one of those "DEFAULT: Allow all networks to >>access inbound tunnel" filters. Someone port scanned the Customer, >>and now I look like an idiot. >> >>Can anyone see ANY reason for those filters now that the GNAT Box >>has the check-box to create one when you create the tunnel? >>At the very least, I think they should be disabled by default! >> >>If I wanted an Accept Any/All filter, I would have checked the box >>for it when I created the tunnel! If I didn't check the box, >>don't give me an Accept Any/All filter I didn't ask for!! >>(Whatever happened to the "anything not explicitly allowed is >>denied" mentality? If I make a mistake I want the GNAT Box to >>err on the side of too much security, not too little!) >> >> >>Mike Burden >>Lynk Systems >>(616)532-4985 >>[EMAIL PROTECTED] >> >>---------------------------------------------- >>To Unsubscribe: send mail to [EMAIL PROTECTED] >>with "unsubscribe gb-users your_email_address >>in the body of the message > >________________________________________________________________________ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > >---------------------------------------------- >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe gb-users your_email_address >in the body of the message
