> Yes, you can use anything as a transport, probably even pidgeon
> carriers, but you need a receiving end to effect anything.
Indeed, see RFCs 1149 and 2549... two excellent april fools
on avian carriers!
> So, unless
> you fear that someone is able to install a trojan on your OpenBSD
> server b
Hi Dag,
I find myself pressed to rant a bit on the myths you spread because I
come across such arguments all too often, and they are, umm, unfounded.
On Sun, 17.12.2006 at 20:03:08 -0800, Dag Richards <[EMAIL PROTECTED]> wrote:
> Tools can be written to use icmp as a transport, obviously anything
On Monday 18 December 2006 19:29, Jon Radel wrote:
>
> I suppose it all comes down to such unresolvable matters such as "is
> making it harder for outsiders to map your network merely security
> through obscurity, which is naturally below the dignity of any right
> thinking network engineer, or doe
Dag Richards wrote:
> Such a user can use http or
>> better yet https as a transport as well or a floppy, usb hard drive,
>> usb tump
>> drive, and email (especially with an encrypted attachment so that your
>> filter
>> can see what it is). Hell they can print it out and carry it in their
>> br
> smith wrote:
Blocking icmp violates RFC rules which means in a nutshell weird things will
happen on your network.
Buda says :
"Amen... obey RFC 1122. "
RFC compliance is almost always a good reason to do something.
So I have learned something I apparently should already have known.
i.
* Dag Richards <[EMAIL PROTECTED]> [2006-12-18 06:10]:
> I block all inbound traffic to my networks not required for operations.
(most of) icmp qualifies as required for operations. especially
including echo-request and -reply.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Serv
On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote
> Jason Dixon wrote:
> > On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
> >
> >> Jason Dixon wrote:
> >>
> >>> Your security staff is clueless. I bet they like to block icmp
> >>> echo- request too.
> >>
> >>
> >> Erm, I am don't think I
Marco S Hyman wrote:
> To me (and I'll be the first to
> admit that this is nothing but opinion and I won't pretend that my opinion
> is any better than yours) I see more harm than good in blocking icmp.
> I like it when other people tell me I've screwed something up because I
> can find it and
> servers with services running we want public. Why should I allow
> someone to ping my dns server?
If I'm having problems resolving a host address that is supposed
to be handled by your server one of the first things I'll do is
see if I have general connectivity to your server. I'll ping it
On Mon, 18 Dec 2006 00:34:20 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
>
> You don't use icmp echo-request for your network operations? Do you
> think you're gaining something by filtering ping on your firewall?
>
Amen... obey RFC 1122.
3.2.2.6 Echo Request/Reply: RFC-792
On Dec 17, 2006, at 11:03 PM, Dag Richards wrote:
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Erm, I am don't think I am clueless, often a sign of cluelessness
I am sure ... However. I block inbound icmp, well actually
inbound anything not shown to be required f
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign of cluelessness I
am sure ... However. I block inbound icmp, well
On Monday 18 December 2006 07:28, Dag Richards wrote:
> What about this is cluelez? I ask in a tone not of belligerence, but a
> desire to be informed by my betters.
Blocking icmp is a) totally pointless, and b) makes troubleshooting much more
difficult.
---
Lars Hansson
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign of cluelessness I
am sure ... However. I block inbound icmp, well actually inbound
any
Jason Dixon wrote:
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
OpenBSD 4.0?
15 matches
Mail list logo