Re: Disable IPv6 on OpenBSD 4.0

2007-03-06 Thread Toni Mueller
Hi, On Sun, 17.12.2006 at 22:09:43 +0100, Ingo Schwarze <[EMAIL PROTECTED]> wrote: > If they really force you to conform to that kind > of "security staff orders", minimize the breakage > by using pf(4) - and pf only. In particular, do > refrain from rolling your own kernel to remove IPv6. havin

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-21 Thread Igor Sobrado
> Yes, you can use anything as a transport, probably even pidgeon > carriers, but you need a receiving end to effect anything. Indeed, see RFCs 1149 and 2549... two excellent april fools on avian carriers! > So, unless > you fear that someone is able to install a trojan on your OpenBSD > server b

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-21 Thread Toni Mueller
Hi Dag, I find myself pressed to rant a bit on the myths you spread because I come across such arguments all too often, and they are, umm, unfounded. On Sun, 17.12.2006 at 20:03:08 -0800, Dag Richards <[EMAIL PROTECTED]> wrote: > Tools can be written to use icmp as a transport, obviously anything

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-21 Thread David Golden
On Monday 18 December 2006 19:29, Jon Radel wrote: > > I suppose it all comes down to such unresolvable matters such as "is > making it harder for outsiders to map your network merely security > through obscurity, which is naturally below the dignity of any right > thinking network engineer, or doe

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-18 Thread Jon Radel
Dag Richards wrote: > Such a user can use http or >> better yet https as a transport as well or a floppy, usb hard drive, >> usb tump >> drive, and email (especially with an encrypted attachment so that your >> filter >> can see what it is). Hell they can print it out and carry it in their >> br

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-18 Thread Dag Richards
> smith wrote: Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. Buda says : "Amen... obey RFC 1122. " RFC compliance is almost always a good reason to do something. So I have learned something I apparently should already have known. i.

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-18 Thread Henning Brauer
* Dag Richards <[EMAIL PROTECTED]> [2006-12-18 06:10]: > I block all inbound traffic to my networks not required for operations. (most of) icmp qualifies as required for operations. especially including echo-request and -reply. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Serv

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread smith
On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote > Jason Dixon wrote: > > On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: > > > >> Jason Dixon wrote: > >> > >>> Your security staff is clueless. I bet they like to block icmp > >>> echo- request too. > >> > >> > >> Erm, I am don't think I

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Tony Abernethy
Marco S Hyman wrote: > To me (and I'll be the first to > admit that this is nothing but opinion and I won't pretend that my opinion > is any better than yours) I see more harm than good in blocking icmp. > I like it when other people tell me I've screwed something up because I > can find it and

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Marco S Hyman
> servers with services running we want public. Why should I allow > someone to ping my dns server? If I'm having problems resolving a host address that is supposed to be handled by your server one of the first things I'll do is see if I have general connectivity to your server. I'll ping it

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Travers Buda
On Mon, 18 Dec 2006 00:34:20 -0500 Jason Dixon <[EMAIL PROTECTED]> wrote: > > You don't use icmp echo-request for your network operations? Do you > think you're gaining something by filtering ping on your firewall? > Amen... obey RFC 1122. 3.2.2.6 Echo Request/Reply: RFC-792

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Jason Dixon
On Dec 17, 2006, at 11:03 PM, Dag Richards wrote: Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required f

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Dag Richards
Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Lars Hansson
On Monday 18 December 2006 07:28, Dag Richards wrote: > What about this is cluelez? I ask in a tone not of belligerence, but a > desire to be informed by my betters. Blocking icmp is a) totally pointless, and b) makes troubleshooting much more difficult. --- Lars Hansson

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Lars Hansson
On Monday 18 December 2006 00:31, carlopmart wrote: > Somebody knows if exists some option to put on rc.conf file like > FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on > OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc, > etc, etc ...?? Depends on what

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Jason Dixon
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound any

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Hannah Schroeter
Hi! On Sun, Dec 17, 2006 at 03:56:08PM -0500, Dave Anderson wrote: >** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17 >Dec 2006 15:17:01 -0500 >>On Dec 17, 2006, at 2:51 PM, carlopmart wrote: >>> Yes, my security staff orders to disable IPv6 protocol on all our >>> firewalls

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

2006-12-17 Thread Dag Richards
Jason Dixon wrote: On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0?

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread carlopmart
Jason Dixon wrote: > On Dec 17, 2006, at 2:51 PM, carlopmart wrote: > >> Philip Guenther wrote: >>> On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on >>

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread carlopmart
Dave Anderson wrote: > ** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17 > Dec 2006 15:17:01 -0500 > >> On Dec 17, 2006, at 2:51 PM, carlopmart wrote: >> >>> Yes, my security staff orders to disable IPv6 protocol on all our >>> firewalls ... >> Your security staff is clueless.

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Ingo Schwarze
Jason Dixon wrote on Sun, Dec 17, 2006 at 03:17:01PM -0500: > On Dec 17, 2006, at 2:51 PM, carlopmart wrote: >> Yes, my security staff orders to disable IPv6 protocol >> on all our firewalls ... > Your security staff is clueless. > I bet they like to block icmp echo-request too. If they really f

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Henning Brauer
* carlopmart <[EMAIL PROTECTED]> [2006-12-17 21:14]: > Yes, my security staff orders to disable IPv6 protocol on all our firewalls > ... block quick inet6 -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Serv

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Dave Anderson
** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17 Dec 2006 15:17:01 -0500 >On Dec 17, 2006, at 2:51 PM, carlopmart wrote: > >> Yes, my security staff orders to disable IPv6 protocol on all our >> firewalls ... > >Your security staff is clueless. I bet they like to block icmp e

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Jason Dixon
On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? Nope. No such option e

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread carlopmart
Philip Guenther wrote: > On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: >> Somebody knows if exists some option to put on rc.conf file like >> FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on >> OpenBSD 4.0? > > Nope. No such option exists in OpenBSD. > > >> Or do I nee

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Dave Anderson
** Reply to message from carlopmart <[EMAIL PROTECTED]> on Sun, 17 Dec 2006 17:31:03 +0100 > Somebody knows if exists some option to put on rc.conf file like >FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on >OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, et

Re: Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread Philip Guenther
On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf

Disable IPv6 on OpenBSD 4.0

2006-12-17 Thread carlopmart
Hi all, Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6