Hi,
On Sun, 17.12.2006 at 22:09:43 +0100, Ingo Schwarze <[EMAIL PROTECTED]> wrote:
> If they really force you to conform to that kind
> of "security staff orders", minimize the breakage
> by using pf(4) - and pf only. In particular, do
> refrain from rolling your own kernel to remove IPv6.
havin
> Yes, you can use anything as a transport, probably even pidgeon
> carriers, but you need a receiving end to effect anything.
Indeed, see RFCs 1149 and 2549... two excellent april fools
on avian carriers!
> So, unless
> you fear that someone is able to install a trojan on your OpenBSD
> server b
Hi Dag,
I find myself pressed to rant a bit on the myths you spread because I
come across such arguments all too often, and they are, umm, unfounded.
On Sun, 17.12.2006 at 20:03:08 -0800, Dag Richards <[EMAIL PROTECTED]> wrote:
> Tools can be written to use icmp as a transport, obviously anything
On Monday 18 December 2006 19:29, Jon Radel wrote:
>
> I suppose it all comes down to such unresolvable matters such as "is
> making it harder for outsiders to map your network merely security
> through obscurity, which is naturally below the dignity of any right
> thinking network engineer, or doe
Dag Richards wrote:
> Such a user can use http or
>> better yet https as a transport as well or a floppy, usb hard drive,
>> usb tump
>> drive, and email (especially with an encrypted attachment so that your
>> filter
>> can see what it is). Hell they can print it out and carry it in their
>> br
> smith wrote:
Blocking icmp violates RFC rules which means in a nutshell weird things will
happen on your network.
Buda says :
"Amen... obey RFC 1122. "
RFC compliance is almost always a good reason to do something.
So I have learned something I apparently should already have known.
i.
* Dag Richards <[EMAIL PROTECTED]> [2006-12-18 06:10]:
> I block all inbound traffic to my networks not required for operations.
(most of) icmp qualifies as required for operations. especially
including echo-request and -reply.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Serv
On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote
> Jason Dixon wrote:
> > On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
> >
> >> Jason Dixon wrote:
> >>
> >>> Your security staff is clueless. I bet they like to block icmp
> >>> echo- request too.
> >>
> >>
> >> Erm, I am don't think I
Marco S Hyman wrote:
> To me (and I'll be the first to
> admit that this is nothing but opinion and I won't pretend that my opinion
> is any better than yours) I see more harm than good in blocking icmp.
> I like it when other people tell me I've screwed something up because I
> can find it and
> servers with services running we want public. Why should I allow
> someone to ping my dns server?
If I'm having problems resolving a host address that is supposed
to be handled by your server one of the first things I'll do is
see if I have general connectivity to your server. I'll ping it
On Mon, 18 Dec 2006 00:34:20 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
>
> You don't use icmp echo-request for your network operations? Do you
> think you're gaining something by filtering ping on your firewall?
>
Amen... obey RFC 1122.
3.2.2.6 Echo Request/Reply: RFC-792
On Dec 17, 2006, at 11:03 PM, Dag Richards wrote:
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Erm, I am don't think I am clueless, often a sign of cluelessness
I am sure ... However. I block inbound icmp, well actually
inbound anything not shown to be required f
Jason Dixon wrote:
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign of cluelessness I
am sure ... However. I block inbound icmp, well
On Monday 18 December 2006 07:28, Dag Richards wrote:
> What about this is cluelez? I ask in a tone not of belligerence, but a
> desire to be informed by my betters.
Blocking icmp is a) totally pointless, and b) makes troubleshooting much more
difficult.
---
Lars Hansson
On Monday 18 December 2006 00:31, carlopmart wrote:
> Somebody knows if exists some option to put on rc.conf file like
> FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
> OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
> etc, etc ...??
Depends on what
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:
Jason Dixon wrote:
Your security staff is clueless. I bet they like to block icmp
echo- request too.
Erm, I am don't think I am clueless, often a sign of cluelessness I
am sure ... However. I block inbound icmp, well actually inbound
any
Hi!
On Sun, Dec 17, 2006 at 03:56:08PM -0500, Dave Anderson wrote:
>** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17
>Dec 2006 15:17:01 -0500
>>On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>>> Yes, my security staff orders to disable IPv6 protocol on all our
>>> firewalls
Jason Dixon wrote:
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
OpenBSD 4.0?
Jason Dixon wrote:
> On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>
>> Philip Guenther wrote:
>>> On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
>>
Dave Anderson wrote:
> ** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17
> Dec 2006 15:17:01 -0500
>
>> On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>>
>>> Yes, my security staff orders to disable IPv6 protocol on all our
>>> firewalls ...
>> Your security staff is clueless.
Jason Dixon wrote on Sun, Dec 17, 2006 at 03:17:01PM -0500:
> On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>> Yes, my security staff orders to disable IPv6 protocol
>> on all our firewalls ...
> Your security staff is clueless.
> I bet they like to block icmp echo-request too.
If they really f
* carlopmart <[EMAIL PROTECTED]> [2006-12-17 21:14]:
> Yes, my security staff orders to disable IPv6 protocol on all our firewalls
> ...
block quick inet6
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Serv
** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17
Dec 2006 15:17:01 -0500
>On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>
>> Yes, my security staff orders to disable IPv6 protocol on all our
>> firewalls ...
>
>Your security staff is clueless. I bet they like to block icmp e
On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
Philip Guenther wrote:
On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option e
Philip Guenther wrote:
> On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
>> Somebody knows if exists some option to put on rc.conf file like
>> FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
>> OpenBSD 4.0?
>
> Nope. No such option exists in OpenBSD.
>
>
>> Or do I nee
** Reply to message from carlopmart <[EMAIL PROTECTED]> on Sun, 17
Dec 2006 17:31:03 +0100
> Somebody knows if exists some option to put on rc.conf file like
>FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
>OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, et
On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
OpenBSD 4.0?
Nope. No such option exists in OpenBSD.
Or do I need to recompile kernel, modify sendmail.cf
Hi all,
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all process that
need ipv6
28 matches
Mail list logo
