Dne po 9. duben 2001 21:40 Jim Breton napsal(a):
On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote:
Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
Do you sleep better at night knowing that your machine won't respond to
pings? It really doesn't
Apr 9 00:03:20 dino kernel: NAT: 0 dropping untracked packet c688a860 1 y.y.y.y -
x.x.x.x
This seems to me like the problems I was having with icmp packages being
dropped when using mtr, Rusty Russell has been arround this weekend and he
has produced a patch to solve this, even though he
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
What are you gaining by responding to them?
RFC compliancy isn't enough? IMHO should be.
There's no RFC that states that you need to reply to echo
Hi,
What's wrong with the following ruleset that I can't do any DNS lookups from the
firewallhost ?
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -F
$IPCHAINS -X
# input rules
$IPCHAINS -A input -s $localnet -d $localnet -j ACCEPT
$IPCHAINS -A
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
RFC compliancy isn't enough? IMHO should be.
Someone else has already responded to this; but no, RFC compliance
doesn't necessarily tell us the best thing to do for every situation.
Take syn cookies for example.
A decent policy
"Eugene van Zyl" [EMAIL PROTECTED] wrote:
Hi,
What's wrong with the following ruleset that I can't do any DNS
lookups from the firewallhost ?
--snip
# output rules
$IPCHAINS -A output -s $localnet -d $Any -j ACCEPT
You need output rules that allow dns queries for the
Hi,
today I had a discussion with somebody about the possibility of
ip-spoofing that affects the apache. In particular we were talking about
a cgi-script he implemented. The script is sort of an
online-voting-system. To avoid that someone clicks several
times he uses the source-IP and each IP
On Tue, Apr 10, 2001 at 08:29:10PM +0200, Clemens Hermann wrote:
Hi,
today I had a discussion with somebody about the possibility of
ip-spoofing that affects the apache. In particular we were talking about
a cgi-script he implemented. The script is sort of an
online-voting-system. To avoid
On Tue, Apr 10, 2001 at 08:29:10PM +0200, Clemens Hermann wrote:
Hi,
today I had a discussion with somebody about the possibility of
ip-spoofing that affects the apache. In particular we were talking about
a cgi-script he implemented. The script is sort of an
online-voting-system. To avoid
Dne po 9. duben 2001 21:40 Jim Breton napsal(a):
On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote:
Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
Do you sleep better at night knowing that your machine won't respond to
pings? It really doesn't
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
What are you gaining by responding to them?
RFC compliancy isn't enough? IMHO should be.
There's no RFC that states that you need to reply to echo
Hi,
What's wrong with the following ruleset that I can't do any DNS lookups from
the firewallhost ?
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -F
$IPCHAINS -X
# input rules
$IPCHAINS -A input -s $localnet -d $localnet -j ACCEPT
$IPCHAINS -A
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
RFC compliancy isn't enough? IMHO should be.
Someone else has already responded to this; but no, RFC compliance
doesn't necessarily tell us the best thing to do for every situation.
Take syn cookies for example.
A decent policy is
Eugene van Zyl [EMAIL PROTECTED] wrote:
Hi,
What's wrong with the following ruleset that I can't do any DNS
lookups from the firewallhost ?
--snip
# output rules
$IPCHAINS -A output -s $localnet -d $Any -j ACCEPT
You need output rules that allow dns queries for the
Hi,
today I had a discussion with somebody about the possibility of
ip-spoofing that affects the apache. In particular we were talking about
a cgi-script he implemented. The script is sort of an
online-voting-system. To avoid that someone clicks several
times he uses the source-IP and each IP has
On Tue, Apr 10, 2001 at 08:29:10PM +0200, Clemens Hermann wrote:
Hi,
today I had a discussion with somebody about the possibility of
ip-spoofing that affects the apache. In particular we were talking about
a cgi-script he implemented. The script is sort of an
online-voting-system. To avoid
On Tue, Apr 10, 2001 at 08:29:10PM +0200, Clemens Hermann wrote:
Hi,
today I had a discussion with somebody about the possibility of
ip-spoofing that affects the apache. In particular we were talking about
a cgi-script he implemented. The script is sort of an
online-voting-system. To avoid
You need to initiate a TCP connection in order to send a HTTP request. This
imposes some constraints on the behaviour of an attacker.
I can see 2 immediate avenues of attck:-
1) Proxies - get someone else to send the HTTP request on your behalf :)
2) IP Address spoofing.
However, since this is a
Eugene van Zyl [EMAIL PROTECTED] writes:
What's wrong with the following ruleset that I can't do any DNS
lookups from the firewallhost ?
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
Maybe this is just for testing purposes, but the best practices say
to
19 matches
Mail list logo