On Wed, Oct 27, 1999 at 11:49:07AM -0400, Michael H. Warfield wrote:
> On Tue, Oct 26, 1999 at 11:25:15PM +0100, Steve Dodd wrote:
> > If I was in BOfH mode, I could argue that your firewall needs fixing. But
> > I'd never say anything controversial like that ;-) (Especially as I've not
> > checked the RFCs to see if this behaviour is really broken or not)
>
> It's not.
[1-4 accepted & snipped]
OK, it's a fair cop, guv, I'll come quietly ..
> 5) The local BOFHs may be under a security mandate that dictates that
> NO ICMP unreachables may be returned to prevent leakage of information
> regarding systems and services (ICMP host unreachable - no box. ICMP port
> unreachable - box there no service). That's why some of us have to use
> passive mode ftp as well (no reverse port connections). Security policy
> trumps. Firewall is not considered to be broken when it is implimenting
> desired security policy.
Hmm, I'd chuck a big ", as long as the security policy is reasonable" on
the end of that.
> 6) Auth/ident can be spoofed. Security/identity information returned
> by ident can NOT be trusted. Fake "ident" servers are common place on the
> net right now. Why bother with ident if you can't trust the data returned?
I've never thought of ident info as being useful for the person collecting it,
to be honest. The use I've had in mind is when you have to report abuse to
the admin of a multi-user box. Sure, you can say "one of your users attacked
[or whatever] us, *you* find out who it was", but if you can collect the
identd response and pass it along, it may expedite the process. The admin of
the box in question will know if binding to low-number ports is restricted
or not.
It could be argued that now multi-user boxes form (probably) such a small
proportion of all the machines out there, looking for ident data is a waste
of time. I'm not sure I would, though.
--
"Friends help you move. Real friends help you move bodies."
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
