On Thu, Jan 16, 2003 at 03:17:44PM -0800, [EMAIL PROTECTED] said:
>
> I am looking for comments and suggestions regarding the merits of
> purpose-built, appliance style firewalls (like a netscreen or Cisco PIX)
> vs. running ipfw on a commodity server running FreeBSD. I am interested
> only in pa
At 09:29 PM 1/17/2003, Christopher L. Morrow wrote:
On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:
>
>
>
> -Original Message-
> From: Stewart, William C (Bill), RTLSL
> Sent: Friday, January 17, 2003 5:35 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: Is there a line of def
On Sat, 18 Jan 2003, Scott Francis wrote:
> > 2. I happen to like a host-based firewall (a firewall running on a normal
> > user OS like FreeBSD) better than an appliance. You get to do anything
> > you need with it, you have a full compliment of unix tools like grep and
> > awk and tcpdump and
On Sat, 18 Jan 2003, Scott Francis wrote:
> > 2. I happen to like a host-based firewall (a firewall running on a normal
> > user OS like FreeBSD) better than an appliance. You get to do anything
> > you need with it, you have a full compliment of unix tools like grep and
> > awk and tcpdump an
At 11:33 AM 17-01-03 -0500, Larry J. Blunk wrote:
>
> Previously, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> > AS690521 326 19537.4% MERIT-AS-27 Merit
Network Inc
>.
>
> Come on, Susan, have your folks get with the program. :-)
>
> --
> Douglas A. Dever [EMAIL PROT
On Sat, 18 Jan 2003, Tony Kapela wrote:
> I'm in total agreement as to the untily and significant
> headache-reduction that a *bsd os (with real interactive editor
> makes -- Vi for IOS must be too challenging). However, I do see a sore
> spot.
> One area that I've not seen much attention paid to
> You may want to look into OpenBSD's new packet filter, pf(4). It's a
> stateful filter, which, according to pf.conf(8), is usually faster than
> a rule-based filter:
...
> But I agree with Scott that a stateful packet filter like pf on OpenBSD or
> ipf on FreeBSD is much better at this task.
On Sat, Jan 18, 2003 at 08:58:13AM -0500, Daniel Senie wrote:
> While it's nice that router vendors implemented unicast RPF to make
> configuration in some cases easier, using simple ACLs isn't necessarily
> hard at the edges either.
It might be nice if all router vendors were able to associate
On Sat, 18 Jan 2003, Daniel Senie wrote:
> At 09:29 PM 1/17/2003, Christopher L. Morrow wrote:
> >On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:
> >
> > >
> > >
> > >
> > > -Original Message-
> > > From: Stewart, William C (Bill), RTLSL
> > > Sent: Friday, January 17, 2003 5
Hi, NANOGers.
You just knew I couldn't stay out of this thread for long. ;)
] I'd note that UUNET also went through some pain to push CPE configs with
] 'good' passwds for telnet and enable, now there are tens (perhaps
] hundreds) of CPE routers with 'cisco' as the vty passwd... Don't
During
On Sat, 18 Jan 2003, Christopher L. Morrow wrote:
> > Eliminating spoofed addresses from the backbone, even if it were possible
> > to do 100%, would not eliminate denial of service attacks. The DDoS attacks
>
> This was precisely the point of Mr. Gill from AOL at the aforementioned
> NANOG meeti
In message <[EMAIL PROTECTED]>, "David G. Andersen" writes:
>
>On Fri, Jan 17, 2003 at 01:11:14AM -0500, David G. Andersen mooed:
>>
>> b) Ioannidis and Bellovin proposed a mechanism called "Pushback"
>> for automatically establishing router-based rate limits to
>> staunch packet f
On Sat, Jan 18, 2003 at 12:29:28PM -0500, [EMAIL PROTECTED] said:
[snip]
> As I understand OpenBSD's pf (which may not be complete so feel free to
> point out if I'm wrong), it isn't actually doing anything to compile
> normal packet lookups, it just added a non-sequential lookup engine for
> the t
Is something up on uunet tonight?
It looks to me that dns is broken forward and reverse but more likely it
looks like a bad bogan fiilter popped up suddenly. I have issue as soon as
I leave mfn's network and hit uunet.
Im not seeing anything coming from qwest.
At 16:55 -0800 1/18/03, Scott Granados wrote:
Is something up on uunet tonight?
It looks to me that dns is broken forward and reverse but more likely it
looks like a bad bogan fiilter popped up suddenly. I have issue as soon as
I leave mfn's network
What's interesting is that I just tried to call the noc and was told
"We have to have you e-mail the group"
my response, I can't I have no route working to uunet
"Well you have to"
my response, ok I'll use someone elses mail box where do I mail?
"We can't tell you your not a customer"
My resp
On Sat, Jan 18, 2003 at 03:48:03PM -0800, Scott Francis wrote:
> On Sat, Jan 18, 2003 at 12:29:28PM -0500, [EMAIL PROTECTED] said:
> [snip]
> > As I understand OpenBSD's pf (which may not be complete so feel free to
> > point out if I'm wrong), it isn't actually doing anything to compile
> > norma
[Mail-Followup-To points to the pf list]
Tony Kapela wrote/schrieb/scripsit:
> Forget all the ARP/ifconfig/heartbeat fudgery that'd be required to
> acheive failover on *bsd with ipf/pf -- just finding a simple way to
> move said state table from host to host seems interesting and
> challenging.
On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
> theory, trace a single packet. But the real problem with either idea
> is this: suppose that you know, unambiguously and unequivocally, that
> 750 zombies are attacking you. What do you do with that information?
The reality is its not 750 zombie
AV> Date: Sat, 18 Jan 2003 08:41:15 -0800 (PST)
AV> From: Avleen Vig
AV> But I agree with Scott that a stateful packet filter like pf
AV> on OpenBSD or ipf on FreeBSD is much better at this task.
man ipfw
/-state
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
B
CLM> Date: Fri, 17 Jan 2003 05:16:43 + (GMT)
CLM> From: Christopher L. Morrow
CLM> Egress filters are a distraction... today you don't have to
CLM> spoof. These are the red herring of 'security'.
They're one component, but not the cure-all. With an increasing
number of "h4x0r3d" hosts, ant
In message <[EMAIL PROTECTED]>, Sean
Donelan writes:
>
>On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
>> theory, trace a single packet. But the real problem with either idea
>> is this: suppose that you know, unambiguously and unequivocally, that
>> 750 zombies are attacking you. What do you
SD> Date: Sat, 18 Jan 2003 21:22:14 -0500 (EST)
SD> From: Sean Donelan
SD> 1) Make end-user systems less vulnerable to being compromised
With consumers, "cheap and easy" usually wins. More often than
not, I hear "I don't care if someone breaks into my computer or
my email, because I don't have
Once upon a time, John Kristoff <[EMAIL PROTECTED]> said:
> It might be nice if all router vendors were able to associate the
> interface configured address(es)/nets as a variable for ingress
> filters. So for in the Cisco world, a simple example would be:
>
> interface Serial0
> ip addres
On Sat, 18 Jan 2003, Avleen Vig wrote:
> On Sat, 18 Jan 2003, Christopher L. Morrow wrote:
>
> > > Eliminating spoofed addresses from the backbone, even if it were possible
> > > to do 100%, would not eliminate denial of service attacks. The DDoS attacks
> >
> > This was precisely the point of M
Everyone probably knows... But if not -- just a reminder that you can also
add access-list number after 'ip verify unicast reverse-path' to allow any
hosts you think that should be able to get allowed through the filter :-)
It's convenient when you are doing some mobileIP+vpn stuff in which som
26 matches
Mail list logo
