Hi guys...
I tried to use the example in PF's FAQ for load balacning between two
DHCP connections in my apartment. From the results of my efforts i
can only assume the second connection just isnt being used at all. I
also think im having problems with my default gateway becuase traffic
is not
On Sep 28, 2004, at 2:13 AM, Siju George wrote:
I changed the block-policy from return to drop. Now my ports except
113 are showing up as stealthed while twsting from
http://www.grc.com/x/ne.dll?rh1dkyd2
The Port 113 was opened because the PF FAQ asked to open it for SMTP
Auth/Ident (TCP port
Hi Jason!
Thanks for the reply!
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
regards
Siju
On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote:
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
Not really. It can give a false sense of security, because you assume
the 'adaptive' part can't be tricked by the attacker.
on 28/9/04 12:16 pm, Siju George at [EMAIL PROTECTED] wrote:
Hi Jason!
Thanks for the reply!
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
If you're just trying to hide, then no. Personally I send RSTs on blocked
ports,
Hi Siju,
The Port 113 was opened because the PF FAQ asked to open it for SMTP
Auth/Ident (TCP port 113): used by some services such as SMTP and IRC.
ICMP Echo Requests: the ICMP packet type used by ping(8).
I know that this is in the pf faq but I don't think that you really need it. I
Siju George wrote:
I was using Zone Alarm before on a Windows200 Firewall. All its ports
were shown as Stealthed but still SMTP server access was possible!
So further digging I got this explanation from the website that
conducted the test.
Adaptive Stealthing means that when a TCP SYN packet
Thankyou Oliver for the reply and Explanation! It was very
informative. I'll also try the S/SAFR thing and see how it works!
God bless you
warm regards
Siju
I know that this is in the pf faq but I don't think that you really need it. I don't
know about IRC but you mentioned only SMTP on your side.
I'm running emailservers for years now and never ran an identd. And my clients don't
have an identd running either. I don't think that you need this
People who say identd is a source of severe information leakage does
not understand what ident does. If you feel paranoid, as I do, you can
always configure it to return random usernames.
---
Lars Hansson
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return
Siju George writes:
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return random usernames? Or coulld you please give me a link
where I can learn that?
http://www.clock.org/~fair/opinion/identd.html
Hi guys...
I tried to use the example in PF's FAQ for load balacning between two
DHCP connections in my apartment. From the results of my efforts i
can only assume the second connection just isnt being used at all. I
also think im having problems with my default gateway becuase traffic
is not
I have not set my block policy (via set options) but
when I do
$ sudo pfctl -sr | grep block
all the results begin with
block drop
with the exception where I overrode it with block
return for two rules.
Yet the man page does not speak of a default
block-policy.
~~ Peter
At the risk of belaboring the point I see nothing in an rfc that
mentions ident in relation to mail or any other service. At most
was this entry in a man page I found for some nat impl:
Some system administrators configure Mail Servers, Telnet Servers and
others to send an IDENT request to the
Kevin writes:
Many IRC servers will drop sessions if they cannot talk to an ident
service on the originating end. If you don't want your users to be on
IRC; this could be considered as a benefit of blocking TCP/113 ;)
Doubtful with IRC servers today. Although I'm not privy to the details
of IRC
Kevin explained it nicely in
http://marc.theaimsgroup.com/?l=openbsd-pfm=109639153330355
Daniel
On Tue, Sep 28, 2004 at 03:09:42PM -0400, Peter Matulis wrote:
Yet the man page does not speak of a default
block-policy.
It mentions that drop is default for block:
block
The packet is blocked. There are a number of ways in which a block
rule can behave when blocking a
On 28 Sep 2004 10:50:02 -0700, [EMAIL PROTECTED] wrote:
You don't
need it, nothing now depends on it,
Not quite correct. Certain smtp, ftp and irc servers come to mind.
--
SB: Wait, you mean the costumes themselves give you super powers?
MM: Of course! Why else would we fly around in
--- Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Tue, Sep 28, 2004 at 03:09:42PM -0400, Peter
Matulis wrote:
Yet the man page does not speak of a default
block-policy.
It mentions that drop is default for block:
block
The packet is blocked. There are a number
of ways
Hi Matt,
I'm defenately no expert, but I noticed that both
int_if = bge0
*and*
ext_if2 = bge0
This might() pose a problem.
For the rest I can only say that I think your DSL modem also does NAT
(IP=192.168.0.1) and that leads me to believe that this is the
connection not being used.
Daniel Hartmeier writes:
Kevin explained it nicely in
http://marc.theaimsgroup.com/?l=openbsd-pfm=109639153330355
He has;
While the identd service is not *mandatory* on servers which send
outbound SMTP email, many remote SMTP servers will query identd when
your machine connects as a SMTP
On Tue, 28 Sep 2004 16:21:55 -0400 (EDT), Peter Matulis
[EMAIL PROTECTED] wrote:
--- Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Tue, Sep 28, 2004 at 03:09:42PM -0400, Peter
Matulis wrote:
Yet the man page does not speak of a default
block-policy.
It mentions that drop is
On Tuesday, Sep 28, 2004, at 09:47 US/Pacific, [EMAIL PROTECTED]
wrote:
Kevin writes:
Many IRC servers will drop sessions if they cannot talk to an ident
service on the originating end. If you don't want your users to be
on IRC; this could be considered as a benefit of blocking TCP/113 ;)
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in their
computer owner's broadband NAT device.
That's what UPnP is for, isn't it?
SCNR,
Daniel
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed...
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in their
computer owner's broadband NAT device.
Yea, sure. I've seen *many* bots with identd running happily
Hey all
I don't know if this is a pf question but I think pf might be causing
it so here comes the question.
I have recently started to notice a stack of the following popping up
on the logging server from the border firewall. It runs OBSD 3.5 with a
pf ruleset.
The log messages (usually
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote:
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in
their computer owner's broadband NAT
Siju George wrote:
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return random usernames? Or coulld you please give me a link
where I can learn that?
man identd, options -h and -H in particular.
OpenBSD does this by default in inetd.conf.
---
Lars Hansson
Volker Kindermann ([EMAIL PROTECTED]) wrote:
I'm running emailservers for years now and never ran an identd. And my
clients don't have an identd running either. I don't think that you need this
for smtp nowadays.
It's never been mandatory for SMTP. Some IRC servers do require it,
though.
Em Ter, 2004-09-28 às 02:00, Matt Sellers escreveu:
B. Can I staticly route any ports/protocols over a certain interface
from NAT?
Yes, you can. Just add some port/host constraint to your pass in on
$int_if rules. Ex.:
pass in on $in_if route-to ($ext_if1 $ext_gw1) \
proto tcp
Hey guys network diagram as such:
The firewall has three interfaces (re0 = cable) (fxp0 = dsl) (bge0 =
10.0.0.0/24). NOTE: Both cable and DSL are DHCP so im kind of confused
when some rules require an upstream gateway as an arguement. I can
usaully get this by DHCP'ing and seeing what my
31 matches
Mail list logo
