Hi,
On Sun, 17.12.2006 at 22:09:43 +0100, Ingo Schwarze [EMAIL PROTECTED] wrote:
If they really force you to conform to that kind
of security staff orders, minimize the breakage
by using pf(4) - and pf only. In particular, do
refrain from rolling your own kernel to remove IPv6.
having
On Monday 18 December 2006 19:29, Jon Radel wrote:
I suppose it all comes down to such unresolvable matters such as is
making it harder for outsiders to map your network merely security
through obscurity, which is naturally below the dignity of any right
thinking network engineer, or does it
Hi Dag,
I find myself pressed to rant a bit on the myths you spread because I
come across such arguments all too often, and they are, umm, unfounded.
On Sun, 17.12.2006 at 20:03:08 -0800, Dag Richards [EMAIL PROTECTED] wrote:
Tools can be written to use icmp as a transport, obviously anything
Yes, you can use anything as a transport, probably even pidgeon
carriers, but you need a receiving end to effect anything.
Indeed, see RFCs 1149 and 2549... two excellent april fools
on avian carriers!
So, unless
you fear that someone is able to install a trojan on your OpenBSD
server by
* Dag Richards [EMAIL PROTECTED] [2006-12-18 06:10]:
I block all inbound traffic to my networks not required for operations.
(most of) icmp qualifies as required for operations. especially
including echo-request and -reply.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web
smith wrote:
Blocking icmp violates RFC rules which means in a nutshell weird things will
happen on your network.
Buda says :
Amen... obey RFC 1122.
RFC compliance is almost always a good reason to do something.
So I have learned something I apparently should already have known.
i.e.
Dag Richards wrote:
Such a user can use http or
better yet https as a transport as well or a floppy, usb hard drive,
usb tump
drive, and email (especially with an encrypted attachment so that your
filter
can see what it is). Hell they can print it out and carry it in their
briefcase if
Hi all,
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all process that
need ipv6
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option exists in OpenBSD.
Or do I need to recompile kernel, modify sendmail.cf
** Reply to message from carlopmart [EMAIL PROTECTED] on Sun, 17
Dec 2006 17:31:03 +0100
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
etc
Philip Guenther wrote:
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option exists in OpenBSD.
Or do I need to recompile
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option
** Reply to message from Jason Dixon [EMAIL PROTECTED] on Sun, 17
Dec 2006 15:17:01 -0500
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Yes, my security staff orders to disable IPv6 protocol on all our
firewalls ...
Your security staff is clueless. I bet they like to block icmp echo-
* carlopmart [EMAIL PROTECTED] [2006-12-17 21:14]:
Yes, my security staff orders to disable IPv6 protocol on all our firewalls
...
block quick inet6
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS
Jason Dixon wrote on Sun, Dec 17, 2006 at 03:17:01PM -0500:
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Yes, my security staff orders to disable IPv6 protocol
on all our firewalls ...
Your security staff is clueless.
I bet they like to block icmp echo-request too.
If they really force
Dave Anderson wrote:
** Reply to message from Jason Dixon [EMAIL PROTECTED] on Sun, 17
Dec 2006 15:17:01 -0500
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Yes, my security staff orders to disable IPv6 protocol on all our
firewalls ...
Your security staff is clueless. I bet they like
Jason Dixon wrote:
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?
Nope
Jason Dixon wrote:
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0
Hi!
On Sun, Dec 17, 2006 at 03:56:08PM -0500, Dave Anderson wrote:
** Reply to message from Jason Dixon [EMAIL PROTECTED] on Sun, 17
Dec 2006 15:17:01 -0500
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Yes, my security staff orders to disable IPv6 protocol on all our
firewalls ...
Your
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign of cluelessness I
am sure ... However. I block inbound icmp, well actually inbound
On Monday 18 December 2006 00:31, carlopmart wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...??
Depends on what you
On Monday 18 December 2006 07:28, Dag Richards wrote:
What about this is cluelez? I ask in a tone not of belligerence, but a
desire to be informed by my betters.
Blocking icmp is a) totally pointless, and b) makes troubleshooting much more
difficult.
---
Lars Hansson
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign of cluelessness I
am sure ... However. I block inbound icmp, well
On Dec 17, 2006, at 11:03 PM, Dag Richards wrote:
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Erm, I am don't think I am clueless, often a sign of cluelessness
I am sure ... However. I block inbound icmp, well actually
inbound anything not shown to be required
On Mon, 18 Dec 2006 00:34:20 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
You don't use icmp echo-request for your network operations? Do you
think you're gaining something by filtering ping on your firewall?
Amen... obey RFC 1122.
3.2.2.6 Echo Request/Reply: RFC-792
Every
servers with services running we want public. Why should I allow
someone to ping my dns server?
If I'm having problems resolving a host address that is supposed
to be handled by your server one of the first things I'll do is
see if I have general connectivity to your server. I'll ping it.
Marco S Hyman wrote:
snip
To me (and I'll be the first to
admit that this is nothing but opinion and I won't pretend that my opinion
is any better than yours) I see more harm than good in blocking icmp.
I like it when other people tell me I've screwed something up because I
can find it and
On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign
28 matches
Mail list logo
