Going through some old email, sorry for the anachronism.
On 10/4/06, Bill Marquette <[EMAIL PROTECTED]> wrote:
> Sorry, but I do not agree totally with you: the thing I love with pfSense is
> that it is possible to install it everywhere, so it could be a _real_
> competitor to enterprise product
On 10/6/06, Chris Buechler <[EMAIL PROTECTED]> wrote:
Scott Ullrich wrote:
> It is a delayed IDS. Generally an IPS hooks into the network stack
> directly and does not allow the traffic to pass through until its
> scanned.
Yep, sometimes these are called intrusion reaction systems, reactive
f
On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote:
I've read a couple places but couldn't find a clear answer to whether SQUID
or another intrusion diction system had been integrated yet.
SQUID is a cache, not a NIDS.
--
Enhance your calm, fellow citizen; it's just ones and zeroes.
Unix "guru" f
Ewww, HTML in email. You are aware of the dangers of using a browser
to read email, right?
I am also trying to avoid cascading pfsense boxes, like routing from one to
another, and the > second doing the NAT - as it is the opposite of high
availability.
The way this is normally done for HA i
On 9/1/06, Andrew C Burnette <[EMAIL PROTECTED]> wrote:
Yes, short answer is, if you can't trust your filesystem (or more
directly the OS with access to it), you've already been owned, and the
train has already left the station.
Well, there are a class of vulnerabilities which grant read access
On 8/29/06, DarkFoon <[EMAIL PROTECTED]> wrote:
I was looking through my XML configuration recently, and I noticed that my
Dynamic DNS password is not encrypted like the PFsense password is.
It seems to me that this is a rather important password and should be
encrypted (if possible).
This is a
On 8/18/06, Chris Godwin <[EMAIL PROTECTED]> wrote:
If I disable the bimap while pinging, the pings
still come through.
Because the state for the outbound ICMP echo request is still in the
state table.
If I disconnect and reconnect hamachi after the bimap
has been deleted the hosts become unr
http://www.loganalysis.org/
For all your log analysis needs.
--
http://www.lightconsulting.com/~travis/ -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
> ssh need to be open on WAN interface and all user that have real shell
> could be disabled for security concern.
Be careful when trying to disable users via their login shell:
http://www.csh.rit.edu/~psionic/articles/ssh-security/
--
http://www.lightconsulting.com/~travis/ -><-
"We already hav
> > Note that not all proxies are equal: I have found that some HTTP
> > proxies work with GET/POST/HEAD but don't support CONNECT, which is
> > essential for streaming.
>
> Yes. We are speaking about Squid, don't we??
You may be. I'm speaking generally of HTTP proxies. I do not know
the details
SIP just isn't firewall/NAT friendly.
I've been thinking of writing a pcap-based sniffer that modifies
firewall rules using my dfd_keeper stuff to support SIP and other
protocols across a pf firewall.
Of course, with IAX/IAX2 it's much easier, since they only use one UDP
port. If you can talk SI
I want to mention that you can also use SOCKS as a proxy. Many
clients support this non-transparently (as a configuration option),
and you could maybe even do it transparently.
Keeping the proxy on the gateway host will reduce the latency compared
with having it on a seperate host (TCP connection
On 9/26/05, Greg Hennessy <[EMAIL PROTECTED]> wrote:
> > so its safe to assume that internet -> WAN stuff should be
> > blocked. but for internal access between my LAN/OPT
> > interfaces and outbound WAN i can use reject and it wouldn't
> > be considered bad form?
Hmm, rejecting on the outbound W
On 9/21/05, A Rossi <[EMAIL PROTECTED]> wrote:
> I was thinking of payload inspection as a way to check to see if the payload
> contains requested data (like HTML, or mp3 or whatever the user is
> downloading) to make sure that it doesn't contain infected data (with a worm
> or such) that is piggyb
> its not the language, its the programmer.
I disagree. C has many constructs that are far too easy to handle
incorrectly, such as buffer handling, pointer manipulation, and the
string functions. The string functions are so non-intuitive in
several important corner cases that OpenBSD created a n
Well it's not set in stone.
C seems too unsafe a language to me in which to write security applications.
--
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Hello,
I am the author of dfd_keeper, a tool for manipulating pf firewalls.
I thought you guys might be interested in evaluating it for inclusion
into pfsense.
You may find futher information here:
http://www.lightconsulting.com/~travis/dfd/
You may browse the code here:
http://www.lightconsulti
17 matches
Mail list logo