Hi Peter,
I am a newbie as well, but after some time banging my
head against walls I came up with my own 'silly'
pf.conf rules. I have included my rules at the end of
this email. I Removed the extra rules (I think all of
them) and all you have to do is change the variable
names to whatever you
On Wed, Jan 19, 2005 at 02:07:10PM -0700, R T wrote:
Hello folks. Thanks to everyone who responded to my problem. The laptop can
use the internet now, however it wont resolve host names properly. For
example, it wouldnt connect to www.google.ca but it would to 64.233.167.104
Same for IRC,
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now.
Now to learn about making it an actual firewall :) Thanks guys for the help!
R.T.
R T wrote:
Hello folks. Thanks to everyone who responded to my problem. The laptop can use the internet now, however it wont resolve host names properly. For example, it wouldnt connect to www.google.ca but it would to 64.233.167.104
Same for IRC, xhat wouldnt connect to eu.undernet.org but it
OOPS-
pf-r wrote:
where I've compliled a (now aging) list of
s/compliled/compiled
BTW, if anyone wants to submit pf.conf examples with accompanying 'pfctl
-sr' (or alternative) outputs for posting on the pf-r, visit #pf and
speak up.
-S
R T wrote:
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now.
Now to learn about making it an actual firewall :) Thanks guys for the help!
R.T.
No problem, RT. Good luck.
rvb
Rod.. Whitworth ([EMAIL PROTECTED]) wrote:
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote:
Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd.
What's better about that than making the flags -Hole on the inetd
settings for
Lars Hansson wrote:
OpenBSD does this by default in inetd.conf.
Correction, it doesnt.
---
Lars Hansson
Greg Wooledge wrote:
Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd. It's very simplistic; it
just returns a constant string for all ident requests. (It doesn't
appear to be in ports; I simply grabbed the source code from
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote:
Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd. It's very simplistic; it
just returns a constant string for all ident requests. (It doesn't
appear to be in ports; I simply
[EMAIL PROTECTED] wrote:
http://www.clock.org/~fair/opinion/identd.html
Thanks for giving a link that nicely illustrates my point about people
not understanding what ident does:
The upshot of these assumptions is that when your system contacts the
identd server of a remote system, you can trust
On Sep 28, 2004, at 2:13 AM, Siju George wrote:
I changed the block-policy from return to drop. Now my ports except
113 are showing up as stealthed while twsting from
http://www.grc.com/x/ne.dll?rh1dkyd2
The Port 113 was opened because the PF FAQ asked to open it for SMTP
Auth/Ident (TCP port
Hi Jason!
Thanks for the reply!
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
regards
Siju
On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote:
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
Not really. It can give a false sense of security, because you assume
the 'adaptive' part can't be tricked by the attacker.
on 28/9/04 12:16 pm, Siju George at [EMAIL PROTECTED] wrote:
Hi Jason!
Thanks for the reply!
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
If you're just trying to hide, then no. Personally I send RSTs on blocked
ports,
Hi Siju,
The Port 113 was opened because the PF FAQ asked to open it for SMTP
Auth/Ident (TCP port 113): used by some services such as SMTP and IRC.
ICMP Echo Requests: the ICMP packet type used by ping(8).
I know that this is in the pf faq but I don't think that you really need it. I
Siju George wrote:
I was using Zone Alarm before on a Windows200 Firewall. All its ports
were shown as Stealthed but still SMTP server access was possible!
So further digging I got this explanation from the website that
conducted the test.
Adaptive Stealthing means that when a TCP SYN packet
Thankyou Oliver for the reply and Explanation! It was very
informative. I'll also try the S/SAFR thing and see how it works!
God bless you
warm regards
Siju
I know that this is in the pf faq but I don't think that you really need it. I don't
know about IRC but you mentioned only SMTP on your side.
I'm running emailservers for years now and never ran an identd. And my clients don't
have an identd running either. I don't think that you need this
People who say identd is a source of severe information leakage does
not understand what ident does. If you feel paranoid, as I do, you can
always configure it to return random usernames.
---
Lars Hansson
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return
Siju George writes:
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return random usernames? Or coulld you please give me a link
where I can learn that?
http://www.clock.org/~fair/opinion/identd.html
Kevin writes:
Many IRC servers will drop sessions if they cannot talk to an ident
service on the originating end. If you don't want your users to be on
IRC; this could be considered as a benefit of blocking TCP/113 ;)
Doubtful with IRC servers today. Although I'm not privy to the details
of IRC
On 28 Sep 2004 10:50:02 -0700, [EMAIL PROTECTED] wrote:
You don't
need it, nothing now depends on it,
Not quite correct. Certain smtp, ftp and irc servers come to mind.
--
SB: Wait, you mean the costumes themselves give you super powers?
MM: Of course! Why else would we fly around in
On Tuesday, Sep 28, 2004, at 09:47 US/Pacific, [EMAIL PROTECTED]
wrote:
Kevin writes:
Many IRC servers will drop sessions if they cannot talk to an ident
service on the originating end. If you don't want your users to be
on IRC; this could be considered as a benefit of blocking TCP/113 ;)
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in their
computer owner's broadband NAT device.
That's what UPnP is for, isn't it?
SCNR,
Daniel
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed...
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in their
computer owner's broadband NAT device.
Yea, sure. I've seen *many* bots with identd running happily
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote:
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in
their computer owner's broadband NAT
Siju George wrote:
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return random usernames? Or coulld you please give me a link
where I can learn that?
man identd, options -h and -H in particular.
OpenBSD does this by default in inetd.conf.
---
Lars Hansson
Volker Kindermann ([EMAIL PROTECTED]) wrote:
I'm running emailservers for years now and never ran an identd. And my
clients don't have an identd running either. I don't think that you need this
for smtp nowadays.
It's never been mandatory for SMTP. Some IRC servers do require it,
though.
I would like to know what I can do to improve my firewall ruleset. This exact set
protects my own internal LAN (8 computers), and includes P2P rules. I have similar
rulesets protecting other networks I have worked on, none with more than 300 clients
though.
# pF.conf working for Wall
Hiyas, although no stritly a pf question I
hope somone can answer this one for me
We have just been given a second routable
set of ip's for our servers as we hit capacity on our old one
In order to use theese for NAT I obviously
need to bind the addresses to our
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote:
In order to use theese for NAT I obviously need to bind the addresses to our
firewall's external interface...
They do however need a different gateway address, where do I speciy this ?
is is something in my hostname.rl1 file ?
Eek, that should keep be busy for a while :-~
-Original Message-
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]]
Sent: 13 January 2003 16:10
To: Dan Heaver
Cc: [EMAIL PROTECTED]
Subject: Re: adding a new subnet to my firewall
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote
33 matches
Mail list logo