From owner-firewalls-outgoing Thu May 1 00:43:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA25536 for firewalls-outgoing; Wed, 30 Apr 1997 23:52:12 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [15.253.72.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA25514; Wed, 30 Apr 1997 23:52:04 -0700 (PDT) From: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com Received: from stamp.brussels.hp.com (stamp.brussels.hp.com [15.184.0.125]) by palrel1.hp.com with ESMTP (8.7.5/8.7.3) id XAA28941; Wed, 30 Apr 1997 23:53:35 -0700 (PDT) Received: from by stamp.brussels.hp.com with SMTP (1.37.109.16/15.5+ECS 3.4 Openmail) id AA272859613; Thu, 1 May 1997 08:53:33 +0200 X-Openmail-Hops: 1 Date: Thu, 1 May 97 08:52:50 +0200 Message-Id: In-Reply-To: <331527D9.3281@chipnet.cz> Subject: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 Mime-Version: 1.0 To: firewalls@GreatCircle.COM, firewalls-owner@GreatCircle.COM Cc: STAHL_CHRISTIAN/HP-Denmark_om1@stamp.brussels.hp.com Content-Type: text/plain; charset=US-ASCII; name="MS" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey everybody, Does anyone now how to set up Raptor Eagel version 4.0, running on NT 4.0, to MS NetMeeting? I Hope that someone can help me. Best Regards Christian Stahl From owner-firewalls-outgoing Thu May 1 00:46:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA18106 for firewalls-outgoing; Wed, 30 Apr 1997 23:15:49 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA18062 for ; Wed, 30 Apr 1997 23:15:30 -0700 (PDT) Received: (qmail 14338 invoked by uid 514); 1 May 1997 06:17:01 -0000 Date: Thu, 1 May 1997 02:17:01 -0400 (EDT) From: Todd Graham Lewis To: Sean McPherson cc: firewalls@greatcircle.com Subject: Re: NT vs Linux IP Performance In-Reply-To: <199704301218.IAA28974@ha1.ntr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Sean McPherson wrote: > Just wanted to ask what you thought about the server running > a PCMCIA card. How much does this figure in? A lot of NT drivers for > PCMCIA seem to be crap, so I wasn't sure how to take this info :) Yeah, I did sort of overlook that in my comments. If the driver is crap, then it's obviously not a fair test. You might want to try something standard like an SMC. (I would say 3com, but you want something both standard and decent. 8^) __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:19:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA20291 for firewalls-outgoing; Wed, 30 Apr 1997 23:26:56 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA20266 for ; Wed, 30 Apr 1997 23:26:49 -0700 (PDT) Received: (qmail 14397 invoked by uid 514); 1 May 1997 06:28:19 -0000 Date: Thu, 1 May 1997 02:28:19 -0400 (EDT) From: Todd Graham Lewis To: Chris Pugrud cc: Firewalls Mailing list Subject: RE: NT vs Linux FTP Performance In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Chris Pugrud wrote: > If I get really bored I will build a 100BT crossover cable and test a > little more formally. I'd love to see those numbers. > I felt that filling a 10BT pipe was more than adequate because this is a > firewalls forum and most of us do not have the joy of T3 or better > connections. Speak for yourself. 8^) > I apologize for adding to already poor S/N ratio on the firewalls list. No problem from this end; signal just fine. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:24:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA17963 for firewalls-outgoing; Wed, 30 Apr 1997 23:14:39 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA17936 for ; Wed, 30 Apr 1997 23:14:32 -0700 (PDT) Received: (qmail 14333 invoked by uid 514); 1 May 1997 06:16:00 -0000 Date: Thu, 1 May 1997 02:16:00 -0400 (EDT) From: Todd Graham Lewis To: Darren Reed cc: arager@mcgraw-hill.com, firewalls@GreatCircle.COM Subject: Re: NT vs Linux IP Performance Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Darren Reed wrote: > Well, how about umounting the filesystem after each "get" and then > mounting it again before the next ? That'd probably help eliminate the FS aspect of the performance stats. > Obviously Linux is doing some sort of disk caching and now you're > seeing that. Obviously NT doesn't do much caching of disk IO (or > at least by default). Or, with only 32 MB of RAM and a 10 MB file, NT might not have enough space to cache the file. (If it is caching based on some LRU algorithm, then the file will keep overwriting itself unless there's at leat 10MB free.) __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:39:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22350 for firewalls-outgoing; Wed, 30 Apr 1997 23:37:40 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA22326 for ; Wed, 30 Apr 1997 23:37:32 -0700 (PDT) Received: (qmail 14440 invoked by uid 514); 1 May 1997 06:39:03 -0000 Date: Thu, 1 May 1997 02:39:03 -0400 (EDT) From: Todd Graham Lewis Reply-To: Todd Graham Lewis To: Bob Beck cc: Firewalls Mailing List Subject: Re: NT vs Linux FTP Performance In-Reply-To: <199704301709.LAA08819@snouts.obtuse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Bob Beck wrote: > This thread is neat and interesting. I even like > it. Unfortunately the whole discussion is awfully far removed from > firewalls. Could we please agree to take it somewhere else like > comp.os.linux? It's a neat topic, but it really doesn't belong here. > I would love to participate and even post numbers, but not in this > forum where it is inappropriate. First of all, if you're worried about the S/N, you could have refrained from including about 11k worth of the discussion in your message. Secondly, for those of us who deal with firewall scaling issues, as well as firewalls which see a lot of traffic or operate in high-bandwidth environs, this matter is very pertinent. Let your users know that they're directly connected to multiple T3s with only the firewall in between and see if you don't have performance concerns. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 01:56:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA21730 for firewalls-outgoing; Wed, 30 Apr 1997 23:34:23 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA21682 for ; Wed, 30 Apr 1997 23:34:10 -0700 (PDT) Received: (qmail 14417 invoked by uid 514); 1 May 1997 06:35:39 -0000 Date: Thu, 1 May 1997 02:35:39 -0400 (EDT) From: Todd Graham Lewis To: David LeBlanc cc: firewalls@GreatCircle.COM Subject: Re: NT vs Linux IP Performance In-Reply-To: <2.2.32.19970430212815.01a54ffc@mail.iss.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, David LeBlanc wrote: > >Here's another contributing factor. I have seen two studies (one of which > >was a very good Usenix paper) which conclude that EXT2 is the fastest file > >system on the planet. > > Is there a faster one off the planet? > > 8-P Hey, you guys have C2 stuff (logging, hit counts, etc.) on NTFS that we'd love to have on EXT2. I didn't say EXT2 was better, only that it was faster. 8^) > >It's not the FTP server; Linux automatically caches file system accesses > >at the filesystem-driver layer. > > Don't you guys cache network I/O? I'm not quite sure what you mean by that in this context. We cache NFS info, but I'm not sure what an FTP server could cache other than FS data. Maybe I missed something. Actually, maybe I'm just dense. > >I am astounded that NT does not cache filesystem data. > > I am astounded that you think NT does not cache FS data. Yeah, I'm astounded that I worded that so poorly. > yes, it could have very different results. Those 2 registry settings > cascade a tremendous number of tuning differences. The server is tuned to > ignore the console to service network requests, and the workstation is just > the opposite. > Not a matter of IP performance, but a matter of who gets more time slices, > and in fact, how long the time slices are. OK, I can see that. So get the the registry munger that turns WS into Server, rerun the tests (with the 90 other changes suggested on the list), and post the results. This is fun; I can't believe that Russ didn't take me up on my offer to do this head-on. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Thu May 1 02:54:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA23925 for firewalls-outgoing; Thu, 1 May 1997 02:41:39 -0700 (PDT) Received: from flex.flex.ro (flex.flex.ro [193.230.255.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA23860 for ; Thu, 1 May 1997 02:41:20 -0700 (PDT) Received: from powercore.flex.ro (dial05.flex.ro [193.230.255.105]) by flex.flex.ro (8.7.5/8.7.3) with ESMTP id MAA27555 for ; Thu, 1 May 1997 12:33:19 +0300 Message-Id: <199705010933.MAA27555@flex.flex.ro> From: "The RiSC Team - Powerman" To: Subject: OFF Topic : Sorry Date: Thu, 1 May 1997 12:41:27 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is Off topic , but any1 know a Delphi mailing list ? Thanx Best Regards , Viorel Dehelean AKA Powerman - Risc Team vdehelean@flex.ro powerm@usa.net http://www.flex.ro/RISC http://www.geocities.com/ResearchTriangle/6773 Tel. Home : 039-615151 Tel. Work : 039-641841 "To code or not to code" From owner-firewalls-outgoing Thu May 1 04:39:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01837 for firewalls-outgoing; Thu, 1 May 1997 04:28:05 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA01823 for ; Thu, 1 May 1997 04:27:55 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wMtyR-0004GhC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 1 May 1997 13:24:31 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 1 May 97 13:24 MET DST Received: by lina.inka.de id m0wMkm4-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 1 May 1997 03:34:48 +0200 (CEST) Message-Id: Date: Thu, 1 May 1997 03:34:46 +0200 From: Bernd Eckenfels To: Adam Shostack Cc: Eric Vyncke , dbrooks@i2020.net, Firewalls@GreatCircle.COM Subject: Re: Cisco PIX and Remote Access? (FW-1?) References: <2.2.32.19970429122715.0075c438@brussels.cisco.com> <199704300016.UAA28814@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199704300016.UAA28814@homeport.org>; from Adam Shostack on Tue, Apr 29, 1997 at 08:16:22PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Adam, On Apr 29, Adam Shostack wrote > Eric Vyncke wrote: > | With the random TCP sequence number, this TCP/IP connection > | cannot be hijacked > > Don't you mean to say that the connection can only be hijacked if the > attacker can sniff along one of the links over which the connection is > occuring? Yes thats right. Random TCP sequence numbers means "random initial sequence numbers". This will protect you from guessing the ISN for a TCP handshake. If yo ucan guess the first TCP packet, you can di IP spoofing for any address and establish a TCP connection. This is completely unrelated to Hijacking. With hijacking you simply sniff the current sequence numbers, try to get the original host out of sync and continue the existing connection yourself. Random ISNs wont protect you. (They will protect you from blind hijacking, but I'm not aware that this is a practical security problem anyway). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Thu May 1 05:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05628 for firewalls-outgoing; Thu, 1 May 1997 05:21:12 -0700 (PDT) Received: from afsusexch.SKANDIA.COM ([206.103.7.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA05621 for ; Thu, 1 May 1997 05:21:07 -0700 (PDT) Received: by afsusexch.SKANDIA.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC5608.4EF46D60@afsusexch.SKANDIA.COM>; Thu, 1 May 1997 08:18:54 -0400 Message-ID: From: "Tollgard, Nic" To: "'Baris Cenberci'" , "'Eric Vyncke'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Opinions on Cisco PIX product? Date: Thu, 1 May 1997 08:18:53 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Cisco says that PIX is getting the places of both application level >> gateways and packet filtering routers. But it has many lack of abilities >> (As I've mentioned before) as logging and authorization, and it is not a >> 5 minute configurable product if you have long access lists. It's only a >> non-routing, well developed router for filtering and NAT (and >> encryption), but not anymore... (Not covering the whole firewall >> co routers already make most of these... > > >[Tollgard, Nic] >I can't say that I agree. PIX together with the Private I utility provides >quite good reporting. > >Authorization is handled by TACACS or RADIUS. It's "WEB configurable" to make >accesslists etc. easier. > >My $0.02....... > >Nic From owner-firewalls-outgoing Thu May 1 05:59:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07728 for firewalls-outgoing; Thu, 1 May 1997 05:49:28 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA07688 for ; Thu, 1 May 1997 05:49:13 -0700 (PDT) Received: from clark.net (badguy@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with ESMTP id IAA11586 for ; Thu, 1 May 1997 08:50:25 -0400 (EDT) Received: from localhost (badguy@localhost) by clark.net (8.8.5/8.7.1) with SMTP id IAA28821 for ; Thu, 1 May 1997 08:50:46 -0400 (EDT) X-Authentication-Warning: clark.net: badguy owned process doing -bs Date: Thu, 1 May 1997 08:50:45 -0400 (EDT) From: Jeff Man To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #194 In-Reply-To: <199705010800.BAA04771@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 May 1997, Firewalls-Digest wrote: > > Firewalls-Digest Thursday, May 1 1997 Volume 06 : Number 194 > > > > In this issue: > > MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 > Re: NT vs Linux IP Performance > > See the end of the digest for information on subscribing to the Firewalls > or Firewalls-Digest mailing lists and on how to retrieve back issues. > > ---------------------------------------------------------------------- > > Date: Thu, 1 May 97 08:52:50 +0200 > From: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com > Subject: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 > > Hey everybody, > > Does anyone now how to set up Raptor Eagel version 4.0, running on NT > 4.0, to MS NetMeeting? > > I Hope that someone can help me. > > Best Regards > > Christian Stahl > > ------------------------------ > > Date: Thu, 1 May 1997 02:17:01 -0400 (EDT) > From: Todd Graham Lewis > Subject: Re: NT vs Linux IP Performance > > On Wed, 30 Apr 1997, Sean McPherson wrote: > > > Just wanted to ask what you thought about the server running > > a PCMCIA card. How much does this figure in? A lot of NT drivers for > > PCMCIA seem to be crap, so I wasn't sure how to take this info :) > > Yeah, I did sort of overlook that in my comments. If the driver is crap, > then it's obviously not a fair test. You might want to try something > standard like an SMC. (I would say 3com, but you want something both > standard and decent. 8^) > > __ > Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com > > ------------------------------ > > End of Firewalls-Digest V6 #194 > ******************************* > > To unsubscribe from Firewalls-Digest, send the following command > in the body of a message to "Majordomo@GreatCircle.COM": > > unsubscribe firewalls-digest > > If you want to subscribe or unsubscribe an address other than the > account the mail is coming from, such as a local redistribution list, > then append that address to the command; for example, to subscribe > "local-firewalls": > > subscribe firewalls-digest local-firewalls@your.domain.net > > A non-digest (direct mail) version of this list is also available; to > subscribe to that instead, replace all instances of "firewalls-digest" > in the commands above with "firewalls". > > Compressed back issues are available for anonymous FTP from > FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" > is the volume number, and "MMM" is the issue number). > From owner-firewalls-outgoing Thu May 1 06:45:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12434 for firewalls-outgoing; Thu, 1 May 1997 06:36:49 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA12425 for ; Thu, 1 May 1997 06:36:42 -0700 (PDT) Received: by brimstone.rnb.com; id JAA23477; Thu, 1 May 1997 09:38:13 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma023464; Thu, 1 May 97 09:38:10 -0400 Received: from monarch.rnb.com (monarch [150.1.33.146]) by relay.rnb.com (8.8.5/8.8.4) with SMTP id JAA12921; Thu, 1 May 1997 09:38:09 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.1 [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <01BC5589.8D19F3A0@jeaton.pc.galt.com> Date: Thu, 01 May 1997 09:32:49 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: Jeffrey Eaton Subject: RE: configuring automated email on a dialup link. Cc: firewalls , fwtk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 30-Apr-97 Jeffrey Eaton wrote: >A better solution would be to set up dial-on-demand on the firewall. The >connection would then come up automatically for _any_ network activity which >requires it. (Presumably, you have already set up the firewall to only allow >authorized traffic in and out...) > >The same firewall could then also do news, web, etc... all on demand. > >What OS are you using? This is on SunOS4.1.4 with ppp2.3b3 There is a dial-on-demand feature in ppp2.3b3 but it is for use with static IP addressing not dynamic. > >-jeaton > >---------- >From: Ken Kempster[SMTP:kempster@monarch.rnb.com] >Sent: Wednesday, April 30, 1997 5:06 PM >To: fwtk; firewalls >Subject: configuring automated email on a dialup link. > >[To be removed from this list send the message "unsubscribe fwtk-users" in the >BODY of a mail message to majordomo@ex.tis.com.] > > >Has anyone configured the FWTK/SMAP/SMAPD on a >box which utilizes an ISDN connection to the NET? > >What I want to happen is when an email is send to the firewall >for delivery, the link to the NET is checked and if it's >not up it will bring it up before tring to deliver the email. > >What I was think was customizing the mqueue script to check >for ISDN status and have it bring up the ISDN if need be. > >If anyone has already done this, any ideas are welcome. > > >thanx. > > >|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| >| Ken Kempster kempster@monarch.rnb.com | >| Network Systems Engineer _\|/_ | >| Republic National Bank (o o) | >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Thu May 1 07:10:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15053 for firewalls-outgoing; Thu, 1 May 1997 06:58:31 -0700 (PDT) Received: from hcat.epcorp.com (test.epcorp.com [206.112.200.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA15046 for ; Thu, 1 May 1997 06:58:25 -0700 (PDT) Received: from eppcmcw.eapi.com by hcat.epcorp.com id aa01161; 1 May 97 9:56 EDT Message-Id: <3.0.32.19970501100515.006b8098@mail.epcorp.com> X-Sender: martinw@mail.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 01 May 1997 10:05:16 -0400 To: fw1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com From: "Martin C. Walker" Subject: SATAN on Solaris 2.5 x86 HELLLLLLP !! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, enough is enough. I've pissed away a week now trying to get SATAN together on an x86 Solaris 2.5.1 box and haven't even got Perl to compile yet. Can anyone help me out with working binaries etc TIA frustrated ! -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | Cincinnati, OH 45202 | From owner-firewalls-outgoing Thu May 1 07:16:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13783 for firewalls-outgoing; Thu, 1 May 1997 06:46:45 -0700 (PDT) Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA13774 for ; Thu, 1 May 1997 06:46:39 -0700 (PDT) Received: (from uucp@localhost) by out1.ibm.net (8.6.9/8.6.9) id NAA326453 for ; Thu, 1 May 1997 13:48:10 GMT Received: from slip129-37-238-170.mn.us.ibm.net(129.37.238.170) by out1.ibm.net via smap (V1.3mjr) id sma_4MC92; Thu May 1 13:46:55 1997 Message-ID: <33689EA0.622F@urbantechnology.com> Date: Thu, 01 May 1997 08:46:09 -0500 From: "Urban A. Haas" Organization: Urban Technology, Inc. X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Firewalls for non-IP protocols Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any firewalls that can extend beyond IP protecting SNA and IPX without encapsulation - or at least encrypting the data? (Or is the encryption portion a different issue altogether?) I have some that are becomming interested in using this kind of technology over their frame-relay links to protect snooping from telco or telco mishaps, etc. I know I can run IP-based Netware, DLS (Data-Link Switching), etc to get a totally-IP based network to accomplish this, but this kind of digs into some firewall vendor's suggestions that their devices be used on Intranets also. The difference, to me being, support for other network protocols. Maybe the best bet is encryption of some kind of all data between point a and point b, ignoring protocols, but I am curious as to anyone's particular experience. Cheers, Urban -- Urban A. Haas CEO - Urban Technology, Inc. E-mail: uhaas@urbantechnology.com (mailto:uhaas@urbantechnology.com) Phone: (612) 938-2610 From owner-firewalls-outgoing Thu May 1 07:24:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA17870 for firewalls-outgoing; Thu, 1 May 1997 07:22:54 -0700 (PDT) Received: from l0pht.com (l0pht.com [199.201.145.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA17859 for ; Thu, 1 May 1997 07:22:41 -0700 (PDT) Received: from localhost (weld@localhost) by l0pht.com (8.8.3/8.6.9) with SMTP id IAA01591; Thu, 1 May 1997 08:31:40 -0400 (EDT) Date: Thu, 1 May 1997 08:31:39 -0400 (EDT) From: Weld Pond To: Dennis Roberts , "'ntsecurity@iss.net'" cc: "'firewalls@greatcircle.com'" Subject: [NTSEC] Re: L0pht Scanning - Beware Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think it is great that the report of someone being scanned from l0pht has started an ethical debate about scanning. A few people have been scanned from what appeared to be l0pht.com. We are investigating this. The scans are NOT being done by any l0pht member and appear to be originating from somewhere else. We have 2 confirmed reports of scanning. If anyone knows of another please send any logs, etc. to me. This is obviously a volitile issue because it has blown way out of proportion. An easy way to do port scans that appear to come from somewhere else is to use a tool like netcat and set the source address to wherever you want the source of the scan to appear come from. You need to create another network interface with the bogus source address on your machine, then do something like: nc -v -z -w 2 -s 10.0.0.2 199.99.99.99 130-140 This will scan ports 130-140 at 199.99.99.99. If someone is logging the scan it will appear to come from 10.0.0.2. You will not get the results of this scan however. Netcat for NT (and Unix) is available at http://www.l0pht.com/~weld/netcat/ There are some sophisticated ways of bouncing scans through other services. I will let those who know these techniques better than me explain them. Weld Pond - weld@l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From owner-firewalls-outgoing Thu May 1 08:53:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA22350 for firewalls-outgoing; Thu, 1 May 1997 07:52:51 -0700 (PDT) Received: from pebbles.gtri.gatech.edu (pebbles.gtri.gatech.edu [130.207.204.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA22294 for ; Thu, 1 May 1997 07:52:39 -0700 (PDT) Received: from jones (107-thomaston.alltel.net [206.229.146.107]) by pebbles.gtri.gatech.edu (8.8.5/8.8.5) with SMTP id KAA24189; Thu, 1 May 1997 10:55:47 -0400 (EDT) Message-Id: <199705011455.KAA24189@pebbles.gtri.gatech.edu> Comments: Authenticated sender is From: "Jim Jones" To: Neil Readwin Date: Thu, 1 May 1997 10:55:38 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Need help getting IP traffic through a router. CC: firewalls@GreatCircle.COM References: <31557D725263D011B53A0060974FB8DC028B0D@sla_nt2.sla.com> In-reply-to: X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 30 Apr 1997, Bill Stackpole wrote: > > I know of no product that could use ICMP as a transport for a tunnel. > > (Hummm, interesting....). > > If you mean that you cannot go to MS, Sun, Cisco or other vendors and > ask for IP over ICMP tunnelling software then I would agree that there > are no products. > > TCP over ICMP is (handwave, handwave) just TCP over IP with a small > MTU. It would be useful (if you wanted to get through a large set of > filtering firewalls), therefore it has been written. Is the code freely available somewhere? -Jim From owner-firewalls-outgoing Thu May 1 09:18:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21425 for firewalls-outgoing; Thu, 1 May 1997 07:46:09 -0700 (PDT) Received: from dresden.bmc.com (dresden.bmc.com [198.64.253.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21358 for ; Thu, 1 May 1997 07:45:52 -0700 (PDT) Received: (from uucp@localhost) by dresden.bmc.com (8.8.5/8.8.5) id JAA12029 for ; Thu, 1 May 1997 09:45:32 -0500 (CDT) Received: from erehwon.bmc.com(172.19.1.156) by dresden.bmc.com via smap (3.2) id xma011918; Thu, 1 May 97 09:45:18 -0500 Received: from erehwon.bmc.com (localhost [127.0.0.1]) by erehwon.bmc.com (8.8.5/8.8.5) with ESMTP id JAA26871; Thu, 1 May 1997 09:47:12 -0500 Message-Id: <199705011447.JAA26871@erehwon.bmc.com> X-Mailer: exmh version 2.0gamma 1/27/96 X-Face: #_4U^`J"d9XQ8Cp7!HaZE=}I^B(;F]!}L})]#-@%<6%5<}##,`z!n7M> To: Tim Wood cc: Ken Kempster , fwtk , firewalls Subject: Re: configuring automated email on a dialup link. In-reply-to: Your message of "Wed, 30 Apr 1997 16:23:07 PDT." <3367D45B.5845@earthlink.net> Reply-to: hdevore@bmc.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 May 1997 09:47:11 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk tim_wood@earthlink.net said: > The ISDN setups I've seen use on-demand dialing, that is, the link > layer sees a packet heading for the ISDN interface, and initiates a > call on the interface. That call normally connects and a PPP > handshake begins. It links to the other point and voila, you have > your route. IOW, you may not have any work to do (wonder of wonders.) That's how my ISDN setup works, but then my ISDN "interface device" is a completely separate box (Ascend Pipeline 75 www.ascend.com for info) on my home Ethernet. The Pipeline 75 can be an IP router, an IPX router, or a bridge. My employer sets them up as bridges, validates connections via Caller ID, and has an IP and IPX router at the office between "us" and the rest of the company net. Hal From owner-firewalls-outgoing Thu May 1 09:21:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA24885 for firewalls-outgoing; Thu, 1 May 1997 08:09:25 -0700 (PDT) Received: from onshore.com (irc.onShore.com [206.69.88.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA24848 for ; Thu, 1 May 1997 08:09:14 -0700 (PDT) Received: (from craig@localhost) by onshore.com (8.8.5/8.7.3) id KAA21798; Thu, 1 May 1997 10:11:59 -0500 Date: Thu, 1 May 1997 10:11:59 -0500 From: Craig Brozefsky Subject: Re: [NTSEC] RE: L0pht Scanning - Beware To: Dennis Roberts cc: "'inskeep_chris@geologics.com'" , "'firewalls@greatcircle.com'" , "'ntsecurity@iss.net'" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 28 Apr 1997, Dennis Roberts wrote: > I see your point. Until there is a group of "real security people" what > should be done? Nothing? Give up computers, or start running an OS you have source code to and do your own source scans. No such thing as "real security people" anyways. Craig Brozefsky craig@onshore.com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) From owner-firewalls-outgoing Thu May 1 09:24:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA26703 for firewalls-outgoing; Thu, 1 May 1997 08:27:48 -0700 (PDT) Received: from mail.siemenscom.com (mail.siemenscom.com [206.154.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA26669 for ; Thu, 1 May 1997 08:27:33 -0700 (PDT) Received: from pobox.rolm.com (gate.siemenscom.com [206.154.192.3]) by mail.siemenscom.com (8.8.5/8.6.10) with ESMTP id IAA09332 for ; Thu, 1 May 1997 08:26:47 -0700 (PDT) Received: from x400gate.rolm.com by pobox.rolm.com (X.400 to RFC822 Gateway); Thu, 1 May 1997 08:28:41 -0700 X400-Received: by mta ROLM-MTA in /c=US/admd=MCI/prmd=SCN/; Relayed; 01 May 1997 08:28:40 -0700 X400-Received: by /c=US/admd=MCI/prmd=SCN/; Relayed; 01 May 1997 08:28:40 -0700 X400-MTS-Identifier: [/c=US/admd=MCI/prmd=SCN/; 0740D3368B6A8036-ROLM-MTA] Content-Identifier: 0740D3368B6A8036 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Edwin.Pon@pnna.rolm.com X400-Recipients: non-disclosure; Message-Id: <"0740D3368B6A8036*/c=US/admd=MCI/prmd=SCN/o=ROLM/ou=SC/ou=MSMail Users/s=Pon/g=Edwin/"@MHS> Date: 01 May 1997 08:28:40 -0700 From: "Pon, Edwin" To: "smtp:firewalls-digest@greatcircle.com" (IPM Return requested) Subject: who are you? MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm an email administrator at my company and am trying to track down some undeliverable message problems. firewalls-digest@greatcircle.com seems to be related to some email that is not being delivered t Larry Sherman. Larry Sherman left our company over a year ago and apparently left a few loose ends that need cleaning up. If you are a real person, or an extremely intelligent machine, what is this firewall-digest thing? Thank you for your help. From owner-firewalls-outgoing Thu May 1 09:47:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA17364 for firewalls-outgoing; Thu, 1 May 1997 07:19:11 -0700 (PDT) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA17336 for ; Thu, 1 May 1997 07:19:04 -0700 (PDT) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id PAA08404; Thu, 1 May 1997 15:18:39 +0100 (BST) From: Steve Kennedy Message-Id: <199705011418.PAA08404@ford.gbnet.org> Subject: Re: configuring automated email on a dialup link. To: kempster@monarch.rnb.com (Ken Kempster) Date: Thu, 1 May 1997 15:18:39 +0100 (BST) Cc: fwtk-users@tis.com, firewalls@GreatCircle.COM In-Reply-To: from "Ken Kempster" at Apr 30, 97 12:37:23 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ken Kempster > Has anyone configured the FWTK/SMAP/SMAPD on a > box which utilizes an ISDN connection to the NET? > What I want to happen is when an email is send to the firewall > for delivery, the link to the NET is checked and if it's > not up it will bring it up before tring to deliver the email. > What I was think was customizing the mqueue script to check > for ISDN status and have it bring up the ISDN if need be. > If anyone has already done this, any ideas are welcome. You could always use qmail, which supports maildir format. External mail can then be 'queued' to a maildir. When a connection to the ISP is established, another program called maildir2smtp can be run, which will then take all the maildir stored mail and send it out via smtp ... The maildir2smtp can be run from the login script or wherever is suitable. See http://www.qmail.org/ for more details. Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From owner-firewalls-outgoing Thu May 1 10:23:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25637 for firewalls-outgoing; Thu, 1 May 1997 08:18:03 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA25618 for ; Thu, 1 May 1997 08:17:50 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id QAA07107; Thu, 1 May 1997 16:25:20 +0200 Date: Thu, 01 May 1997 17:18:31 +0100 To: Richard Heuft From: Oliver Lau Cc: Subject: Re: slow e-mail clients with packet-filter In-Reply-To: <199704291440.OAA02433@mail.eurosys.nl> References: <199704291440.OAA02433@mail.eurosys.nl> Message-Id: <3368D067211.0DCB.lau@mabi.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 X-Priority: 2 X-MSMail-Priority: High Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 29 Apr 1997 16:39:40 +0200 "Richard Heuft" wrote: > Hello All, > > At my site we use a dedicated e-mail server (running SCO OpenServer 5.02) > to send and recieve mail from the internet. Between our internal ethernet > and the mail-server is a Linux packetfilter (ipfwadm) with SMTP and POP3 > forwarding enabled. When we send/recieve e-mail with Win95 clients using > Microsoft internet e-mail client, the POP3 connections are fast but sending > with SMTP is slow. It takes a while before it sends but when it does it's > fast. I've got the feeling that something more than port 25 and 110 are > needed for the delivery that the client does. I checked port 113 (auth) but > that didn't seem to help, any ideas ?? In brief: The reason that POP3 connections are fast is very simple: the client has to find out whom to connect to via the domain name services. This lookup is done very fast, because the name server is normally located in the local area network, and even if it is 'behind' the firewall router on your Linux-box, latency time is short. If you are sending e-mail per smtp, the mailer has to resolve the host name to an IP address. This action may take a while, because it is possible that the host name entry has not been cached yet by the name server. This can be a reason for the delay a priori to the delivery process to the next mail relay host. Hope this helps! Regards, Oliver > From owner-firewalls-outgoing Thu May 1 10:38:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15879 for firewalls-outgoing; Thu, 1 May 1997 07:08:30 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA15860 for ; Thu, 1 May 1997 07:08:20 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id IAA22311; Thu, 1 May 1997 08:09:50 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd22309aaa; Thu May 1 08:09:40 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id IAA10765; Thu, 1 May 1997 08:09:40 -0600 From: Bob Beck Message-Id: <199705011409.IAA10765@snouts.obtuse.com> Subject: Re: NT vs Linux FTP Performance To: lists@reflections.eng.mindspring.net Date: Thu, 1 May 1997 08:09:38 -0600 (MDT) Cc: beck@obtuse.com, firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at May 1, 97 02:39:03 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > First of all, if you're worried about the S/N, you could have refrained > from including about 11k worth of the discussion in your message. > Yes, point taken. > Secondly, for those of us who deal with firewall scaling issues, as well > as firewalls which see a lot of traffic or operate in high-bandwidth > environs, this matter is very pertinent. Let your users know that they're > directly connected to multiple T3s with only the firewall in between and > see if you don't have performance concerns. > I'm not saying you don't Todd, but we don't discuss relative performance differences in CPU's, or of NIC's or other such stuff on this list, and they all matter in these cases too. There are more appropriate forums for that. Security professionals should be able to deal with performance issues in a relevant forum, and deal with issues related to firewalls here. This thread isn't. It's a simple comparison of Linux and NT on general network performance issues. -Bob From owner-firewalls-outgoing Thu May 1 11:27:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA28043 for firewalls-outgoing; Thu, 1 May 1997 08:51:41 -0700 (PDT) Received: from tmpil001.tmp.allied.com (tmpil001.tmp.allied.com [198.80.19.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA28031 for ; Thu, 1 May 1997 08:51:27 -0700 (PDT) Received: by tmpil001.tmp.allied.com id AA09740 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 1 May 1997 08:52:57 -0700 Received: by tmpil001.tmp.allied.com (Internal Mail Agent-1); Thu, 1 May 1997 08:52:57 -0700 Message-Id: From: "Markle, David W." To: Jaime Blanco Cc: "'firewalls@greatcircle.com'" Subject: RE: RAPTOR Date: Thu, 1 May 1997 08:47:33 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, is the 2501 inside or outside the firewall? The firewall will not allow ICMP(ping) through, (if in fact the 2510 is outside the firewall). On the workstation (PC), set the default gateway to the IP address of the OUTSIDE interface on the firewall. (This is assuming that the router is outside the firewall.) >---------- >From: Jaime Blanco[SMTP:jaime@blanco.com] >Sent: Wednesday, April 30, 1997 2:04 PM >To: '1126f930@adp-es.com'; 'alan@gi.net'; 'firewalls@GreatCircle.COM'; >'hauke@ctd.com'; 'info@raptor.com'; 'lists@reflections.mindspring.com'; >'luk@tele.gl'; 'martinq@indigo.ie'; 'mike@esr.com'; 'peter@baileynm.com'; >'proberts@clark.net'; 'Russ.Cooper@rc.toronto.on.ca'; >'stevel@millennium.co.uk' >Subject: RAPTOR > >Hi: >Can you help me? > >I have configured Raptor Eagle NT 3.0.6. It work fine with all PCs attached >to the privated interface, but I have some cisco 2501 (for some others >subnets I must protect with eagle) attached to this private subnet and the >Eagle not route the packets to outside that come from these subnets. I can't >ping from cisco to the eagle's privated interface, however I can ping from >any PC to eagle. > >The 2501s have their default gateway pointing to the Eagle. > >What's wrong? > >Thanks in advance > >Jaime Blanco >Tech Manager >Sinfonet >www.sinfo.net > From owner-firewalls-outgoing Thu May 1 11:41:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA16639 for firewalls-outgoing; Thu, 1 May 1997 10:57:13 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA16632 for ; Thu, 1 May 1997 10:57:05 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id TAA07821; Thu, 1 May 1997 19:04:49 +0200 Date: Thu, 01 May 1997 19:58:05 +0100 To: Dick Mosher From: Oliver Lau Cc: Subject: Re: NT File Sharing In-Reply-To: <9703298623.AA862350652@cc.wstnres.com> References: <9703298623.AA862350652@cc.wstnres.com> Message-Id: <3368F5CD15B.C07D.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: Quoted-Printable X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings! If you use TCP/IP as the only protocol, file sharings with NetBIOS use port numbers 137 through 138. You have to allow traffic incoming AND outgoing because the server establishes a reciprocal connection back to the client. The same setup applies to all SMB connection like Samba of several Unixes. A good place to look for answers to questions like this is the RFC "Assigned Numbers". On Tue, 29 Apr 97 14:53:04 CST "Dick Mosher" wrote: | We are trying to set up NT file sharing across an internal firewall= , | and can find very little documentation on its mechanics. Can anyon= e | tell me what port(s) it uses? Thanks. | dick_mosher@wstnres.com Hope this helps! Regards,| Oliver Lau (Senior Security Consultant) Sauer, K=fcster und Partner GmbH Dietrich-Bonhoeffer-Stra=dfe 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: www.skp.de From owner-firewalls-outgoing Thu May 1 11:41:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA19769 for firewalls-outgoing; Thu, 1 May 1997 11:19:20 -0700 (PDT) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA19746; Thu, 1 May 1997 11:19:12 -0700 (PDT) Received: from cabe (spg-as13s58.erols.com [207.172.6.58]) by smtp3.erols.com (8.8.5/8.8.5) with SMTP id OAA19355; Thu, 1 May 1997 14:20:42 -0400 Message-Id: <1.5.4.32.19970501182410.00735984@pop.erols.com> X-Sender: cabe@pop.erols.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 May 1997 14:24:10 -0400 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM From: Cabe Franklin Subject: international use of VPN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Chris/Adam/Sandeep: When a U.S. company wishes to export a crypto product to communicate with an overseas subsidiary, even though it's keeping it all in the family, it does have to apply for an export license. If it is going to "maintain control" though, it's not too hard to get. Different from permission to resell, obviously. But does still fall under DoC regs. Check Point doesn't exactly fall under U.S. regs b/c it's listed on Nasdaq. The actions of its U.S. arm are governed by U.S. rules, but if the crypto is developed/manufactured/distributed etc. entirely overseas, it doesn't fall into the realm of US controls. Icing on the cake -- India (AFAIK) has _import_ regulations on crypto, just to keep things interesting. Good luck :) - Cabe P.S. Full disclosure: I do work occasionally for TIS. While I shy away from the AbirNet model, I feel compelled to note that their Gauntlet firewall can give you a 56-bit DES VPN whereever you may be, and if you don't mind using key recovery, you can get 3DES. - Cabe Franklin Ogilvy Adams & Rinehart, Washington DC (202) 452-9504 cabe_franklin@oar-wash.com - From owner-firewalls-outgoing Thu May 1 11:42:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA11014 for firewalls-outgoing; Thu, 1 May 1997 10:27:45 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA10983 for ; Thu, 1 May 1997 10:27:39 -0700 (PDT) Message-Id: <199705011727.KAA10983@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA131537669; Fri, 2 May 1997 03:27:49 +1000 From: Darren Reed Subject: Re: [NTSEC] RE: L0pht Scanning - Beware To: craig@onshore.com (Craig Brozefsky) Date: Fri, 2 May 1997 03:27:49 +1000 (EST) Cc: droberts@excell.com, inskeep_chris@geologics.com, firewalls@GreatCircle.COM, ntsecurity@iss.net In-Reply-To: from "Craig Brozefsky" at May 1, 97 10:11:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Craig Brozefsky, sie said: > > On Mon, 28 Apr 1997, Dennis Roberts wrote: > > > I see your point. Until there is a group of "real security people" what > > should be done? Nothing? > > Give up computers, or start running an OS you have source code to and do > your own source scans. No such thing as "real security people" anyways. Speaking of source code, see http://www.sun.com/edu/hot/hot.html for an interesting offer from Sun on Solaris2.5.1 source code. From owner-firewalls-outgoing Thu May 1 12:32:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA16872 for firewalls-outgoing; Thu, 1 May 1997 10:58:35 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA16809 for ; Thu, 1 May 1997 10:58:18 -0700 (PDT) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA07998; Thu, 1 May 1997 13:59:40 -0400 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id NAA16859; Thu, 1 May 1997 13:55:15 -0400 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199705011755.NAA16859@splinter.rtp.dg.com> Subject: Re: Ascend Secure Access with Dynamic Firewall To: chrisp@tidalwave.net (Chris Pressley) Date: Thu, 1 May 1997 13:55:11 -0400 (EDT) Cc: firewalls-digest@greatcircle.com In-Reply-To: <3.0.1.32.19970428133225.00709958@tidalwave.net> from "Chris Pressley" at Apr 28, 97 01:32:25 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To hack your way into a firewall such as the one decribed, just attack the OS the firewall is operational on, assuming that Ascend was built using high assurance mechanisms (which would be a pleasant surprise). However, if they actually used the word "impossible," then they most certainly aren't a high assurance system. Scientific American published an article in 1906, where Dr. Newcomb, one of the preeminent mathemeticians of his day, proved it was imposible for a heavier than air vehicle to lift off the ground and maintain sustained flight. Of course, by this time, those pesky Wright brothers were making sustained flight of several hours. "Impossible" is a very dangerous word to use - it usually falls from the lips of those who lack expertise in the area they are pontificating upon. Or people trying to sell you something in the face of stiff competition. Note, however, that I have no knowledge of Ascend making any such claim. Caveat emptor. > > Anyone familiar with Ascend Secure Access with Dynamic Firewall? Ascend > claims it makes use of stateful packet inspection, and it's impossible for > a hacker to penetrate (I just got of the phone with them). The web pages > provides remarkably little information. The Pipeline 75 also offers packet > filtering. > > Thanks, > Chris > > -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From owner-firewalls-outgoing Thu May 1 12:55:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29969 for firewalls-outgoing; Thu, 1 May 1997 09:16:51 -0700 (PDT) Received: from charity.harvard.net (charity.harvard.net [206.137.222.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA29954 for ; Thu, 1 May 1997 09:16:40 -0700 (PDT) Received: from tranquility.harvard.net (root@tranquility.harvard.net [206.64.152.14]) by charity.harvard.net (8.8.5/8.7.3) with ESMTP id MAA16493 for ; Thu, 1 May 1997 12:17:09 -0400 (EDT) Received: from kyoto (gojapan.com [206.137.94.14]) by tranquility.harvard.net id MAA13153; Thu, 1 May 1997 12:15:08 -0400 (EDT) Message-Id: <2.2.32.19970501162414.00921988@postoffice.harvard.net> X-Sender: leon.linkco.com@postoffice.harvard.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 May 1997 12:24:14 -0400 To: firewalls@GreatCircle.COM From: Leonid Charny Subject: Raptor Eagle experience on NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anoyne been using Eagle NT 4.0 and wish to share the experience. We are currently evaluating FW-1 Cisco PIX and Eagle 4.0. We are aware of Z-ff-Davis and Tolly Group reports, but want to hear real-life stories. Any advice from anyone who has done similar evaluation it is appreciated. _______________________________________________________________________________ Leonid Charny, Ph.D. Principal Technical Architect LinkCo, 286 Congress Street, Boston, MA 02210 Phone:(617) 574-9059 Fax:(617) 574-9055 Email: leon@linkco.com "Professionals First Choice for Japanese Business Information" _______________________________________________________________________________ From owner-firewalls-outgoing Thu May 1 13:09:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25959 for firewalls-outgoing; Thu, 1 May 1997 11:56:31 -0700 (PDT) Received: from mercury.earthlink.net (mercury.earthlink.net [198.68.160.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA25808 for ; Thu, 1 May 1997 11:55:54 -0700 (PDT) Received: from poseidon.earthlink.net ([206.250.69.156]) by mercury.earthlink.net (8.7.5/8.7.3) with SMTP id LAA19207; Thu, 1 May 1997 11:57:51 -0700 (PDT) Message-Id: <2.2.32.19970501185643.006a9ac4@198.68.160.4> X-Sender: del@198.68.160.4 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Thu, 01 May 1997 11:56:43 -0700 To: Planet_Ocean@profitmaster.com From: POLARIS Subject: Re: Your website's "Findability" -- Search Engine Help Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HEY STEVE....!!!!!!!!! this is a FIREWALL discussion group... get this web shit off this list...!!! NOW!!! and return nevermore what i would like to improve is 'LOSABILITY'.... namely YOURS..... At 05:17 PM 4/30/97 -0700, you wrote: >Would you like to improve your website's >"findability" in the Search Engines? > >During the past year, my company has placed over 100 >webpages into the Top Ten -- the front page -- of the >major search engines... and, for a small fee, I am >willing to show you exactly how we did it. > >My name is Stephen Mahaney. I am the president of >Planet Ocean Communications. My web marketing company >has literally "written the book" on how to position your >website on the front page -- the Top Ten -- of each of >the major search engines... guaranteed! > >Our 45 page book identifies every trick & technique that >is being used on the Internet to gain an almost "unfair" >advantage in landing websites at the top of the search >engine lists -- right where you need to be so that >potential customers who are seeking your services or >products can find you. > >Our monthly Newsletter keeps you abreast of the latest >techniques and frequent changes that take place in the >dynamic world of "search engine" science. > >However, understanding the process does not require >a degree in "rocket" science -- nor do you need to be >"technically oriented". Whether your website is a >"do-it-yourself" project or you are paying someone >to maintain your site, you (or your webmaster) need >to know the tricks in this book in order to compete with >the professionals who are dominating the front pages of >the various search categories. > >To learn more about how you can obtain this essential >information and receive a free subscription to our >Newsletter -- SEARCH ENGINE SECRETS UPDATE, >go to.... > > http://www.profitmaster.com/se-advantage/ > >You'll be glad you did. > >Sincerely, >Stephen Mahaney - President >Planet Ocean Communications > > > *************************************************** >Note: We have contacted you based on information that >we gathered while visiting your website - If you would >prefer not to receive mail from us in the future, >simply reply with the word "remove" and you will be >automatically excluded from future correspondence. Thanks > *************************************************** > >Thought for the day... >"The only thing a man can take >beyond this lifetime is his ethics" > > > > > *************************************************************** Be wise and anticipate the Brutus of your camp. Brutus repaid Caesar for unfailing and ill-deserved loyalty with a sharp currency of steel.' Attila, King of Huns, circa 422 a.d. **************************************************************** Buck/Earthlink Network/framerelay@staffmail.earthlink.net **************************************************************** From owner-firewalls-outgoing Thu May 1 13:40:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA12862 for firewalls-outgoing; Thu, 1 May 1997 13:35:11 -0700 (PDT) Received: from stobyn.ml.org ([205.214.199.244]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA12733 for ; Thu, 1 May 1997 13:34:45 -0700 (PDT) Received: (from uucp@localhost) by stobyn.ml.org (8.8.4/8.8.4) id QAA01662 for ; Thu, 1 May 1997 16:00:31 +0400 Received: from laptop.stokes.com(172.18.1.2) by stobyn.ml.org via smap (V2.0) id xma001660; Thu, 1 May 97 16:00:30 +0400 Date: Thu, 1 May 1997 16:09:04 +0400 (GMT-4) From: Roger Hill X-Sender: rhill@rose.stokes.com To: Firewalls Mailing List Subject: RE: configuring automated email on a dialup link. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use diald for linux...works just fine with dynamic or static IP's. See http://www.dna.lth.se/~erics/diald.html ============================================================================ Roger Hill, P.O.Box 4T, Barbados, West Indies. Tel:246-230-9596 Fax:246-433-8365 E-mail: rhill@stobyn.ml.org ============================================================================ From owner-firewalls-outgoing Thu May 1 14:24:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA17503 for firewalls-outgoing; Thu, 1 May 1997 14:14:44 -0700 (PDT) Received: from daisy.snet.net (mail.snet.net [204.60.7.83]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA17495 for ; Thu, 1 May 1997 14:14:36 -0700 (PDT) From: k.p@snet.net Received: from default (smfr01-sh2-port84.snet.net [204.60.17.84]) by daisy.snet.net (8.8.5/8.8.5/SNET-1.5) with SMTP id RAA02865 for ; Thu, 1 May 1997 17:16:09 -0400 (EDT) Message-ID: <33690991.6249@snet.net> Date: Thu, 01 May 1997 17:22:26 -0400 X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Anti-Spam [Was: Your website's "Findability"] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warpy wrote: > Is it just me or does everyone get ticked off about these emails that say > reply to make sure you DON'T get any further emails from us. Grrrrr... Forward spam back to sender. Strength in numbers. -- # Exit The System. # #--------><--------# # k.p@snet.net # From owner-firewalls-outgoing Thu May 1 14:54:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA20534 for firewalls-outgoing; Thu, 1 May 1997 14:49:56 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA20523 for ; Thu, 1 May 1997 14:49:50 -0700 (PDT) Message-Id: <199705012149.OAA20523@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA07276; Thu, 1 May 1997 17:50:36 -0400 From: Stan Wnuck Subject: CheckPoint vs Others To: firewalls@greatcircle.com Date: Thu, 1 May 97 17:50:36 EDT Cc: swnuck@guru.unixpros.com Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello folks. We are presently evaluating Check-Point's Fire-Wall 1. We had a CheckPoint representative even come in today to explain the product. After speaking with him, I got the impression that this is the best fire-wall out on the market. So I figured I throw out some questions to the dogs to chew away on this idea so that I can remain open-minded. :) Check Point's product and it's direct resellers such as Soltice from SUN are stateful inspection technologies. The only two other technologies that I am aware of are: a. proxy services such as Raptor or Gauntlet b. packet filters #1 Are there any other technologies that I am unaware of? #2 Are they as good as state-ful inspection? #3 Why should I use proxy services or packet filters if I can have stateful inspection? #4 Other than Check-Point and their direct resellers, are there any other stateful inspection products that are not assoicated with Check-Point? #5 Do other products offer remote authentication, encrypted links (VPN's), content security, auditing, load balancing, network translation, excersice policies for access? #6 Do other products have a way of creating extranets? I am sorry if this has been discussed already. If need to be, reply direct to me so that others on this list don't have to hear this wasted traffic. Thanks for your time. Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From owner-firewalls-outgoing Thu May 1 15:09:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA21325 for firewalls-outgoing; Thu, 1 May 1997 14:54:36 -0700 (PDT) Received: from pdxchange.escocorp.com (mail.escocorp.com [207.141.1.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA21251 for ; Thu, 1 May 1997 14:54:18 -0700 (PDT) Received: by pdxchange.escocorp.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC563F.C4659010@pdxchange.escocorp.com>; Thu, 1 May 1997 14:55:53 -0700 Message-ID: From: "Jenkins, Gary C." To: "'firewalls@GreatCircle.com'" Subject: RE: Your website's "Findability" -- Search Engine Help Date: Thu, 1 May 1997 14:55:51 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest that when someone spams this list or any other list for that matter that we all reply to them directly and not include the list the original spam was sent to. That will save us all grief as we wade through all these messages. That way the only person that gets return spammed is the original sender. Gary C. Jenkins (gcjenkins@escocorp.com) UNIX System Administrator ESCO Corporation 503-778-6839 (V) 503-778-6754 (F) >---------- >From: POLARIS[SMTP:del@198.68.160.4] >Sent: Thursday, 01 May, 1997 11:56 >To: Planet_Ocean@profitmaster.com >Cc: firewalls@GreatCircle.com >Subject: Re: Your website's "Findability" -- Search Engine Help > >HEY STEVE....!!!!!!!!! > > this is a FIREWALL discussion group... > get this web shit off this list...!!! NOW!!! > and return nevermore > what i would like to improve is 'LOSABILITY'.... > namely YOURS..... > > > >At 05:17 PM 4/30/97 -0700, you wrote: >>Would you like to improve your website's >>"findability" in the Search Engines? >> >>During the past year, my company has placed over 100 >>webpages into the Top Ten -- the front page -- of the >>major search engines... and, for a small fee, I am >>willing to show you exactly how we did it. >> >>My name is Stephen Mahaney. I am the president of >>Planet Ocean Communications. My web marketing company >>has literally "written the book" on how to position your >>website on the front page -- the Top Ten -- of each of >>the major search engines... guaranteed! >> >>Our 45 page book identifies every trick & technique that >>is being used on the Internet to gain an almost "unfair" >>advantage in landing websites at the top of the search >>engine lists -- right where you need to be so that >>potential customers who are seeking your services or >>products can find you. >> >>Our monthly Newsletter keeps you abreast of the latest >>techniques and frequent changes that take place in the >>dynamic world of "search engine" science. >> >>However, understanding the process does not require >>a degree in "rocket" science -- nor do you need to be >>"technically oriented". Whether your website is a >>"do-it-yourself" project or you are paying someone >>to maintain your site, you (or your webmaster) need >>to know the tricks in this book in order to compete with >>the professionals who are dominating the front pages of >>the various search categories. >> >>To learn more about how you can obtain this essential >>information and receive a free subscription to our >>Newsletter -- SEARCH ENGINE SECRETS UPDATE, >>go to.... >> >> http://www.profitmaster.com/se-advantage/ >> >>You'll be glad you did. >> >>Sincerely, >>Stephen Mahaney - President >>Planet Ocean Communications >> >> >> *************************************************** >>Note: We have contacted you based on information that >>we gathered while visiting your website - If you would >>prefer not to receive mail from us in the future, >>simply reply with the word "remove" and you will be >>automatically excluded from future correspondence. Thanks >> *************************************************** >> >>Thought for the day... >>"The only thing a man can take >>beyond this lifetime is his ethics" >> >> >> >> >> > >*************************************************************** >Be wise and anticipate the Brutus of your camp. >Brutus repaid Caesar for unfailing and ill-deserved loyalty >with a sharp currency of steel.' > Attila, King of Huns, circa 422 a.d. >**************************************************************** >Buck/Earthlink Network/framerelay@staffmail.earthlink.net >**************************************************************** > > > From owner-firewalls-outgoing Thu May 1 16:09:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA25485 for firewalls-outgoing; Thu, 1 May 1997 15:22:19 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [15.253.72.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA25436 for ; Thu, 1 May 1997 15:22:08 -0700 (PDT) Received: from cup46ux.cup.hp.com (daemon@cup46ux.cup.hp.com [15.9.88.31]) by palrel1.hp.com with ESMTP (8.7.5/8.7.3) id PAA00646 for ; Thu, 1 May 1997 15:23:47 -0700 (PDT) Received: from f2426bre.nsr.hp.com by cup46ux.cup.hp.com with SMTP (1.37.109.11/15.5+IOS 3.20+cup+OMrelay) id AA107505419; Thu, 1 May 1997 15:23:39 -0700 From: beldridg@cup46ux.cup.hp.com (Brett Eldridge) To: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com Cc: firewalls@GreatCircle.COM, beldridg@cup46ux.cup.hp.com Subject: Re: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 Date: Thu, 01 May 1997 22:20:51 GMT Message-Id: <337b1322.99279981@cup46ux.cup.hp.com> References: In-Reply-To: X-Mailer: Forte Agent 1.0/32.390 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 May 97 08:52:50 +0200, you wrote: >Hey everybody, > >Does anyone now how to set up Raptor Eagel version 4.0, running on NT >4.0, to MS NetMeeting? Hi Christian, This is going to be tough for any application proxy style firewall because you need to open up multiple TCP ports (389 and 522) along with all the TCP/UDP high ports (argh). At least, this is how I read the MS article. This is obviously a large security risk and creates a hole in your firewall system big enough to "fling a moose through" (see Note 1). Basically, for the Raptor Eagle firewall gateway, you need to use the GSP feature to define a service for each of the ports listed below.=20 I have included a portion of the text from one of Microsoft's KnowledgeBse articles. You can find the article at: http://www.microsoft.com/kb/articles/q164/0/38.htm - brett ---- Text of article ---- Microsoft Netmeeting 2.0 uses several secondary TCP and UDP ports to communicate. To allow NetMeeting to communicate fully, the following ports need to be enabled on the WinSock portion of the Proxy Server:=20 389 Internet Locator Server 522 User Location Server 1503 T.120 Protocol 1720 H.323 call setup (TCP) 1731 Audio call control (TCP) Dynamic H.323 Call Control (TCP) Dynamic H.323 streaming (RTP over UDP) =20 Port or Range Type Direction ------------- ---- --------- 389 TCP Inbound 389 TCP OutBound 522 TCP Inbound 522 TCP Outbound 1025-65535 TCP Inbound 1025-65535 TCP Outbound 1025-65535 UDP Inbound 1025-65535 UDP Outbound Note 1: Thanks to Marcus for enlightening me as to the highly technical term to use to aptly describe situations like this. From owner-firewalls-outgoing Thu May 1 16:39:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04340 for firewalls-outgoing; Thu, 1 May 1997 16:31:36 -0700 (PDT) Received: from pdxchange.escocorp.com (mail.escocorp.com [207.141.1.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA04305 for ; Thu, 1 May 1997 16:31:24 -0700 (PDT) Received: by pdxchange.escocorp.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC564D.56A29F60@pdxchange.escocorp.com>; Thu, 1 May 1997 16:33:02 -0700 Message-ID: From: "Jenkins, Gary C." To: "'firewalls@GreatCircle.com'" Subject: Replies to spammers Date: Thu, 1 May 1997 16:33:00 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest that when someone spams this list, or any other list for that matter, that anyone wishing to reply to them do so directly and not include the list the original spam was sent to in the recipients. That will save us all grief as we wade through all these messages. That way the only person that gets return spammed is the original sender. Gary C. Jenkins (gcjenkins@escocorp.com) UNIX System Administrator ESCO Corporation 503-778-6839 (V) 503-778-6754 (F) >---------- >From: POLARIS[SMTP:del@198.68.160.4] >Sent: Thursday, 01 May, 1997 11:56 >To: Planet_Ocean@profitmaster.com >Cc: firewalls@GreatCircle.com >Subject: Re: Your website's "Findability" -- Search Engine Help > >HEY STEVE....!!!!!!!!! > > this is a FIREWALL discussion group... > get this web shit off this list...!!! NOW!!! > and return nevermore > what i would like to improve is 'LOSABILITY'.... > namely YOURS..... > > > >At 05:17 PM 4/30/97 -0700, you wrote: >>Would you like to improve your website's >>"findability" in the Search Engines? >> >>During the past year, my company has placed over 100 >>webpages into the Top Ten -- the front page -- of the >>major search engines... and, for a small fee, I am >>willing to show you exactly how we did it. >> >>My name is Stephen Mahaney. I am the president of >>Planet Ocean Communications. My web marketing company >>has literally "written the book" on how to position your >>website on the front page -- the Top Ten -- of each of >>the major search engines... guaranteed! >> >>Our 45 page book identifies every trick & technique that >>is being used on the Internet to gain an almost "unfair" >>advantage in landing websites at the top of the search >>engine lists -- right where you need to be so that >>potential customers who are seeking your services or >>products can find you. >> >>Our monthly Newsletter keeps you abreast of the latest >>techniques and frequent changes that take place in the >>dynamic world of "search engine" science. >> >>However, understanding the process does not require >>a degree in "rocket" science -- nor do you need to be >>"technically oriented". Whether your website is a >>"do-it-yourself" project or you are paying someone >>to maintain your site, you (or your webmaster) need >>to know the tricks in this book in order to compete with >>the professionals who are dominating the front pages of >>the various search categories. >> >>To learn more about how you can obtain this essential >>information and receive a free subscription to our >>Newsletter -- SEARCH ENGINE SECRETS UPDATE, >>go to.... >> >> http://www.profitmaster.com/se-advantage/ >> >>You'll be glad you did. >> >>Sincerely, >>Stephen Mahaney - President >>Planet Ocean Communications >> >> >> *************************************************** >>Note: We have contacted you based on information that >>we gathered while visiting your website - If you would >>prefer not to receive mail from us in the future, >>simply reply with the word "remove" and you will be >>automatically excluded from future correspondence. Thanks >> *************************************************** >> >>Thought for the day... >>"The only thing a man can take >>beyond this lifetime is his ethics" >> >> >> >> >> > >*************************************************************** >Be wise and anticipate the Brutus of your camp. >Brutus repaid Caesar for unfailing and ill-deserved loyalty >with a sharp currency of steel.' > Attila, King of Huns, circa 422 a.d. >**************************************************************** >Buck/Earthlink Network/framerelay@staffmail.earthlink.net >**************************************************************** > > > Gary C. Jenkins (gcjenkins@escocorp.com) UNIX System Administrator ESCO Corporation 503-778-6839 (V) 503-778-6754 (F) From owner-firewalls-outgoing Thu May 1 17:33:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA08084 for firewalls-outgoing; Thu, 1 May 1997 17:00:17 -0700 (PDT) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA07978 for ; Thu, 1 May 1997 16:59:58 -0700 (PDT) Received: (from george@localhost) by wicked.neato.org (8.8.5/8.8.5) id RAA10908; Thu, 1 May 1997 17:03:56 -0700 (PDT) Date: Thu, 1 May 1997 17:03:56 -0700 (PDT) Message-Id: <199705020003.RAA10908@wicked.neato.org> To: Stan Wnuck Cc: firewalls@greatcircle.com, swnuck@guru.unixpros.com Subject: Re: CheckPoint vs Others From: george@neato.org X-Remailed: true Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You really should also look at SunScreen from Sun. It is Sun's own firewall solution as opposed to just reselling firewall-1. (http://www.sun.com/ security) It is also a stateful firewall that comes as both a turnkey hardware solution (much higher security and stealth technology) and a software solution (along the lines of firewall-1). Sunscreen includes support for VPN (not an add-on like firewall-1 -at an extra cost). It also has a truly secure remote administration capability, network address translation and native support for SKIP encryption (sun invented it). George From owner-firewalls-outgoing Thu May 1 18:09:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA17887 for firewalls-outgoing; Thu, 1 May 1997 18:06:53 -0700 (PDT) Received: from orions0.orion.org (orions0.orion.org [198.209.8.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA17868 for ; Thu, 1 May 1997 18:06:46 -0700 (PDT) Received: from orionc0.orion.org (orionc0 [198.209.8.196]) by orions0.orion.org (8.8.5/8.7.3) with ESMTP id UAA09472 for ; Thu, 1 May 1997 20:08:24 -0500 (CDT) Received: by orionc0.orion.org (8.8.5) id UAA07677; Thu, 1 May 1997 20:08:21 -0500 (CDT) Date: Thu, 1 May 1997 20:08:21 -0500 (CDT) From: "Cheryl L. Jones" X-Sender: cjones01@orionc0 To: firewalls@greatcircle.com Subject: DELETE ALL Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-firewalls-outgoing Thu May 1 19:39:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA23432 for firewalls-outgoing; Thu, 1 May 1997 19:24:52 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA23414 for ; Thu, 1 May 1997 19:24:43 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.8.5/8.8.4) with SMTP id TAA12037; Thu, 1 May 1997 19:25:05 -0700 (PDT) Date: Thu, 1 May 1997 19:25:05 -0700 (PDT) From: To: Illuminati Primus cc: Bob Beck , Mark.Loveless@BNSF.COM, ntsecurity@iss.net, mudge@l0pht.com, firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: Scanning from port 20, and packet filters. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Apr 1997, Illuminati Primus wrote: > I wasn't trying to suggest what a packet filter's overall policy should > be.. I just wanted to point out that generally, a connection set up > through an FTP bounce usually comes from port 20. Sure, broken FTP > servers might send it from another port (which ones are these BTW? Are > they also vulnerable to bouncing?), or the port might get remapped by a > masquerading router.. But in the vast majority of the cases, an attacker > wont spend the time to find a bounce-vulnerable ftp server that sends from > a port other than 20.. so those stupid people can be logged and filtered > by knowing what the usual traffic from a bounced connection will look > like. > I think we all know that the tightest security measure is to only allow > connections to known secure services running on secure machines. And of > course, to not have bounce-vulnerable FTP daemons. Before you claim that FTP servers that don't use 20/tcp for the ftp-data channel are broken, you must understand the reason behind this "feature". If you subscribe that all software has bug and you run everything least privileged, then consider this: 1) If the daemon does not have to bind() to a port less than 1023, then you don't have to run it as root ever. (LARGE WIN) 2) This coupled with it 'chroot()'ing is very nice. 3) Most of the people (80% on my last count) are going to PASV you so even if you ran as root to do the ftp-data active open, it is a mute point. The client will issue both the active open to your 21/tcp for the ftp-control channel, and an active open to your >1023/tcp for the PASV ftp-data connection. Last I checked, Marcus J Ranum (all around cool dude) once released some code called 'aftpd' which I believe is still on ftp.tis.com in some misc or contrib dir. If we are talking about a 20/tcp to >1023/tcp scanning, don't have anything >1023/tcp listening. If you have to have it, harden it up. If you cant harden it up, filter for it high in your rule sets having set. --blast +--------------------------------------------------------------------+ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / +--------------------------------------------------------------------+ From owner-firewalls-outgoing Fri May 2 01:25:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11498 for firewalls-outgoing; Fri, 2 May 1997 00:56:01 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA11491 for ; Fri, 2 May 1997 00:55:55 -0700 (PDT) Message-Id: <199705020755.AAA11491@honor.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 6464; Fri, 02 May 97 03:57:38 EDT Date: Fri, 02 May 1997 03:57:35 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: FW-1 log files Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, 'fw logswitch' looks fine but does not seem to work on our NT version when the FW-1 service is still running. Is it supposed to work while the FW-1 service runs? (In general?, on NT?). We run FW-1 2.1c on NT 3.51. Switching the log from the log viewer GUI works fine without stopping the FW-1 service but can not be used when you want to automate things. Toon Mordijck From owner-firewalls-outgoing Fri May 2 01:39:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13721 for firewalls-outgoing; Fri, 2 May 1997 01:28:41 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13703 for ; Fri, 2 May 1997 01:28:33 -0700 (PDT) Message-Id: <199705020828.BAA13703@honor.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 7220; Fri, 02 May 97 04:30:15 EDT Date: Fri, 02 May 1997 04:30:13 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: S/N suggestions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, * I agree with the suggestion of Gary to reply directly to the sender of noisy contributions to this list. One can always ask some friends to support him in his reaction but do this by private mail, PLEASE |||||||| * I know that sometimes it is usefull to include the original message to make a reply clear, but some of the members of this list really know how to exaggerate. PLEASE NOT more than necessary ||||| Still a member of this list because of my believe that it really can be usefull for my job, despite of the noise. Toon Mordijck NB: I know this mail is noise too, but I tried to keep it short. From owner-firewalls-outgoing Fri May 2 01:54:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15822 for firewalls-outgoing; Fri, 2 May 1997 01:51:50 -0700 (PDT) Received: from relay2.mail.uk.psi.net (sys1.london.uk.psi.net [154.32.108.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA15786 for ; Fri, 2 May 1997 01:51:37 -0700 (PDT) Received: from lightwork.co.uk (lightwork.co.uk [195.152.206.2]) by relay2.mail.uk.psi.net (8.8.4/) with SMTP id JAA02111 for ; Fri, 2 May 1997 09:52:55 +0100 (BST) Received: by lightwork.co.uk (SMI-8.6/SMI-SVR4) id JAA02695; Fri, 2 May 1997 09:52:17 +0100 Received: from owl(192.9.200.2) by roo via smap (V1.3) id sma002690; Fri May 2 09:51:48 1997 Received: by owl.lightwork.co.uk (SMI-8.6/SMI-SVR4) id JAA01291; Fri, 2 May 1997 09:51:46 +0100 Date: Fri, 2 May 1997 09:51:46 +0100 Message-Id: <199705020851.JAA01291@owl.lightwork.co.uk> From: Julian Briggs To: Firewalls@GreatCircle.COM Subject: looking for socksified PASV ftp client Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All, I'm looking for socksified PASV ftp client (for Solaris, HPUX, IRIX...). On systems which support dynamic linking runscocks ftp runsocks breaks the shell escape, eg: ftp> !ls ld.so.1: ls: fatal: libsocks5_sh.so: can't open file: errno=2 Killed ftp> On systems which don't support dynamic linking (eg HP-UX-9.05) runsocks is not available. Thanks Julian -- Julian Briggs, System Administrator, LightWork Design Ltd 78 Clarkehouse Road, Sheffield S10 2LJ, UK +44 114 266 8404 ext 228 voice. +44 114 266 1383 fax julian@lightwork.co.uk, http://www.lightwork.com From owner-firewalls-outgoing Fri May 2 02:22:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11479 for firewalls-outgoing; Fri, 2 May 1997 00:55:39 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA11463 for ; Fri, 2 May 1997 00:55:28 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id BAA22421; Fri, 2 May 1997 01:07:55 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id AAA15539; Fri, 2 May 1997 00:57:08 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id XAA05530; Thu, 1 May 1997 23:58:42 -0700 Date: Thu, 1 May 1997 23:58:42 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705020658.XAA05530@althea.EBay.Sun.COM> To: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hello World, > > First of all, thanks to the many who responded earlier to my routing > pleas. I had been brain-dead enough not to remember then my basic routing > principles and so I had a tough time. (Perhaps I had too much caffeine > from all those Java cups ? );^] ) I'll post a summary later on when I > get my final IP address layout. > > Anyway, when Solaris 2.6 comes out soon, I believe it will include DHCP > and Variable-Length Subnet Masking (VLSM) support. > 1] With DHCP, will that finally allow FW1 filtering by hostnames (oh no!)? With DHCP, one will have to define generic hostnames for the range of IP addresses used in the IP allocation and you will not be able to do Authentication for a user coming from a particular host. > 2] How will VLSM make firewalling administration any easier/better ? > No, but it will make it easier to subnet your intranet without loosing precious IP addresses to a subnet without enough hosts to use all of the addresses. /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM > Many thanks, > Drexx. > > "It's a dirty job, but somebody's gotta do it." -- John Wayne > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > ______ > /_____/\ DEXTER D. LAGGUI > /_____\\ \ Systems Engineer, Systems Integration Group > /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. > /_____/ \/ / / Penthouse, Corporate Business Center > /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village > \_____\//\ / / Makati City, Philippines > \_____/ / /\ / > \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 > \_____\ \\ Fax : (++ 63-2) 813-5834 > \_____\/ Email: drexx@pspi.com.ph > Pager: (++ 63-2) 1277-33615 > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > From owner-firewalls-outgoing Fri May 2 02:24:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15967 for firewalls-outgoing; Fri, 2 May 1997 01:53:38 -0700 (PDT) Received: from server.aaku.no (server.oks.no [194.19.121.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA15959 for ; Fri, 2 May 1997 01:53:31 -0700 (PDT) Received: by server.aaku.no with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC56E7.51BBD670@server.aaku.no>; Fri, 2 May 1997 10:55:16 +0200 Message-ID: From: =?iso-8859-1?Q?Bj=F8rn_Arne_Pedersen?= To: "'Firewalls@GreatCircle.COM'" Subject: Sessionwall-3 Date: Fri, 2 May 1997 10:55:15 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anybody who uses sessionwall-3 out here? I have recieved an evaluation copy of the product, and I like the features, but how is the security? Anyone? Regards Bjorn Arne From owner-firewalls-outgoing Fri May 2 02:39:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA11931 for firewalls-outgoing; Fri, 2 May 1997 01:09:23 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA11923 for ; Fri, 2 May 1997 01:09:15 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55554-1>; Fri, 2 May 1997 10:08:29 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 02 May 1997 10:10:03 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wNDTX-002QmKC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 2 May 1997 10:13:55 +0200 (MET DST) Date: Fri, 2 May 1997 09:13:55 +0100 From: "Magossa'nyi A'rpa'd" To: Stan Wnuck CC: firewalls@GreatCircle.COM, swnuck@guru.unixpros.com Subject: Re: CheckPoint vs Others In-Reply-To: <199705012149.OAA20523@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 May 1997, Stan Wnuck wrote: > So I figured I throw out some > questions to the dogs to chew away on this idea so > that I can remain open-minded. :) Let it be. >=20 > Check Point's product and it's direct resellers such > as Soltice from SUN are stateful inspection technologies. >=20 > The only two other technologies that I am aware of are: > a. proxy services such as Raptor or Gauntlet > b. packet filters >=20 > #1 Are there any other technologies that I am unaware of? =09In the Data Comm's firewall surwey there is also a thing called =09Circuit Relay, but I don't know what it is. Could anyone explain =09that? > #2 Are they as good as state-ful inspection? =09It depends on usage. Someone had pointed out that stateful =09inspection is something with the "what is not denied is allowed" =09approach, and as such it is not appropriate for a firewall. I don't =09know if it is even true, and either lost track of that thread, or =09was no answer. > #3 Why should I use proxy services or packet filters if > I can have stateful inspection? =09If you don't know the details of the protocol, you will fall back to =09packet filtering in stateful inspection. =09I'm not sure if stateful inspection is able to handle if you want =09to handle things in higher levels of the protocol. > #4 Other than Check-Point and their direct resellers, > are there any other stateful inspection products that are > not assoicated with Check-Point? =09From the Data comm. survey: =09Cyberguard Firewall =09Cycon Labirinth =09GTA Gnat Box =09Netguard Guardian =09Network-1 Firewall/Plus =09Sealab's Watchguard =09Sunscreen EFS > #5 Do other products offer remote authentication, encrypted > links (VPN's), content security, auditing, load balancing, > network translation, excersice policies for access? =09Sure. You can do those even with a stock Linux box. Not talking =09about the pain involved. > #6 Do other products have a way of creating extranets? =09Do you mean DMZ? >=20 >=20 > I am sorry if this has been discussed already. If need to be, > reply direct to me so that others on this list don't have to > hear this wasted traffic. I am replying to the list because there are some issues I don't know much either. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Fri May 2 03:24:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13130 for firewalls-outgoing; Fri, 2 May 1997 01:19:59 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13123 for ; Fri, 2 May 1997 01:19:52 -0700 (PDT) Message-Id: <199705020819.BAA13123@honor.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 6976; Fri, 02 May 97 04:21:32 EDT Date: Fri, 02 May 1997 04:21:31 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: port scans, netiquette and so on. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When I learned about the Internet a few years ago, people told me that there was something called netiquette. The enforcement of the 'rules' was done by the Internet community itself. If one misbehaved the community would let him know in a convincing way. If I see a portscan to our network I don't like it because I don't know if the intentions behind it are positive or negative. So I try to find out where it comes from. If I find the source, I will do whatever I can to convince the responsibles to stop their activities. QUESTION: All hints to do this are welcome. If I can not find the source, I will raise my alertness and also try to look for help (e.g. with my ISP) to defend myself against a probable attack. QUESTION: All hints to this are welcome. Sorry for my English, Toon Mordijck From owner-firewalls-outgoing Fri May 2 03:54:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA06991 for firewalls-outgoing; Fri, 2 May 1997 03:45:51 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA06826 for ; Fri, 2 May 1997 03:45:20 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id DAA21352 for ; Fri, 2 May 1997 03:18:48 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id LAA11351; Fri, 2 May 1997 11:23:14 +0200 Date: Fri, 02 May 1997 12:16:12 +0100 To: Todd Graham Lewis From: Oliver Lau Cc: Firewalls Mailing list , Chris Pugrud , Martin Sauer , Derek Pokorny Subject: Re[2]: NT vs Linux FTP Performance In-Reply-To: References: Message-Id: <3369DB0C23D.A374.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: Quoted-Printable X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hallo, all! On Thu, 1 May 1997 02:28:19 -0400 (EDT) Todd Graham Lewis wrote: | On Wed, 30 Apr 1997, Chris Pugrud wrote: | | > I felt that filling a 10BT pipe was more than adequate because this is= a | > firewalls forum and most of us do not have the joy of T3 or better | > connections. Of course, few sites are connected to the Internet as fast as T3 or even better. But there purposes other than securing a local area network from the Internet, where a firewall system is the right choice. Think of separating different networks in a huge company. Imagine an ATM, an FDDI or a Fast Ethernet backbone to which enterprise-wide servers and all departments (accountancy, research facilites, etc.) are attached. A good reason to control traffic between those networks is that about 80 per cent of all security breaches are inside jobs, jobs of misgruntled officers or bitter former employees or friends of them, all provided with internal information. Others are employees who are bored to death, having enough time to test the system's security, and users, who are dumb enough break in by accident ;-), thus compromising integrity and availabilty of important data. This directly leads to a firewall solution that has to be able to (a) filter traffic a very high speeds (b) filter multi-protocol traffic (c) observe the state of communication between two hosts (d) be invisible on the network ('stealth mode'). To (a): self-explaining. To (b): multi-protocol capability means filtering protocols other than IP, such as IPX, AppleTalk, NetBEUI, Banyan, DECnet, because on most networks more than one protocol is used. To (c): the so-called 'stateful inspection' or 'statefulness', providing the highest degree of traffic control, better than isolated packet filtering or inflexible (inconvenient for users) proxies. Packet filtering cannot handle connection-oriented and thus stateful protocols like TCP. Proxies means that users get used to new conditions, adjusting to new environments. No good, because the ordinary user is hard to satisfy and unwilling to learn how network things work. Statefulness is THE fortunate hybrid solution. To (d): Two methods are possible: First, pseudo-invisilibity: e.g. through proxy ARP. Second, complete invisibility: no protocol suites installed, i.e. there has to be a mechanism that fetches all frames from the line directly through the NIC driver, and then forwards the extracted packets to the filtering engine. For detailed explanation please visit: US site: http://www.network-1.com/products/firewall/nt German site: http://www.skp.de/prod Regards, Oliver Lau (Senior Security Consultant) Sauer, K=fcster und Partner GmbH Dietrich-Bonhoeffer-Stra=dfe 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: www.skp.de From owner-firewalls-outgoing Fri May 2 05:24:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13026 for firewalls-outgoing; Fri, 2 May 1997 05:08:48 -0700 (PDT) Received: from colorado.cycare.com (noghri.cycare.com [143.112.1.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA13019 for ; Fri, 2 May 1997 05:08:43 -0700 (PDT) Received: from dbqnt3.cycare.com (dbqex1.cycare.com [143.112.1.20]) by colorado.cycare.com with SMTP (8.7.1/8.7.1) id HAA10232 for ; Fri, 2 May 1997 07:08:12 -0500 (CDT) Received: by dbqnt3.cycare.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC56C8.F7C9D9A0@dbqnt3.cycare.com>; Fri, 2 May 1997 07:18:01 -0500 Message-ID: From: Tod Wiederholt To: Firewalls Subject: FW: Need help getting IP traffic through a router. Date: Fri, 2 May 1997 07:11:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone else out there know of or heard of this technology of running TCP over ICMP? If so, do you know where to obtain the code to provide this functionality? ---------- From: Neil Readwin To: Tod Wiederholt; jim.jones@gtri.gatech.edu Subject: RE: Need help getting IP traffic through a router. Date: Thursday, May 01, 1997 5:18PM Y'all, no, I do not know of any publically available source that implements TCP over ICMP. In fact I've never seen it myself, but in the past people who I trust have said that they have seen code that does it. Regards, Neil. From owner-firewalls-outgoing Fri May 2 05:48:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13522 for firewalls-outgoing; Fri, 2 May 1997 05:16:09 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA13505 for ; Fri, 2 May 1997 05:15:48 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Fri, 2 May 1997 08:17:37 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id IAA28043; Fri, 2 May 1997 08:15:57 -0400 Date: Fri, 2 May 1997 08:15:57 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199705021215.IAA28043@bass.unifiedtech.com> To: swnuck@unixpros.com, mag@bunuel.tii.matav.hu Subject: Re: CheckPoint vs Others Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: Vd7GKw+llJmpZkXELGaK2Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Magossa'nyi A'rpa'd writes... > On Thu, 1 May 1997, Stan Wnuck wrote: > > So I figured I throw out some > > questions to the dogs to chew away on this idea so > > that I can remain open-minded. :) > Let it be. > > Check Point's product and it's direct resellers such > > as Soltice from SUN are stateful inspection technologies. > > The only two other technologies that I am aware of are: > > a. proxy services such as Raptor or Gauntlet > > b. packet filters > > #2 Are they as good as state-ful inspection? > It depends on usage. Someone had pointed out that stateful > inspection is something with the "what is not denied is allowed" > approach, and as such it is not appropriate for a firewall. I don't > know if it is even true, and either lost track of that thread, or > was no answer. Actually, when you start up FW-1 to build a ruleset, it supplies you = with a "block everything" rule. If you build exceptions up from that rule, then you're working in the "what is not explicitly allowed is denied"=20 rule. You *can* configure it otherwise, but it's FUD at best and lies at worst for someone to claim that that's the basic approach of the system. > > #3 Why should I use proxy services or packet filters if > > I can have stateful inspection? > If you don't know the details of the protocol, you will fall back to > packet filtering in stateful inspection. > I'm not sure if stateful inspection is able to handle if you want > to handle things in higher levels of the protocol. That's a good explanation. Things you can't do with stateful inspection include - URL-level filtering of http transfers - blocking of other "things" riding on top of http, like Java or = ActiveX - allowing ftp PUT but not GET, or vice versa - virus scanning Checkpoint has been adding some of these features into FW-1 by adding=20 proxies, making it sort of a hybrid product. I have mixed feelings about that, actually. I like the stateful inspection approach as a basic = firewalling technology, and when possible I like to put my proxies on other hosts,=20 because proxies can often have functions (like caching) that aren't = really related to security. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From owner-firewalls-outgoing Fri May 2 05:54:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA15207 for firewalls-outgoing; Fri, 2 May 1997 05:42:13 -0700 (PDT) Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.199.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA15183 for ; Fri, 2 May 1997 05:42:04 -0700 (PDT) Received: by drawbridge.ctc.com (951211.SGI.8.6.12.PATCH1042/951211.SGI) for <@drawbridge.ctc.com:firewalls@GreatCircle.COM> id IAA14965; Fri, 2 May 1997 08:43:49 -0400 Received: from sgi10.ctc.com(147.160.31.8) by drawbridge.ctc.com via smap (V1.3) id sma014955; Fri May 2 08:43:30 1997 Received: from sgi122.ctc.com by sgi10.ctc.com via ESMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id IAA29728; Fri, 2 May 1997 08:43:45 -0400 Received: by sgi122.ctc.com id IAA12947; Fri, 2 May 1997 08:43:33 -0400 From: "Dominick Glavach" Message-Id: <9705020843.ZM12945@sgi122.ctc.com> Date: Fri, 2 May 1997 08:43:32 -0400 X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@GreatCircle.COM Subject: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is slightly off topic but I have need some advise or some products that will restrict http access to sites such as www.porn.com. Aside from building an exhaustive list on my proxy what else can I do. Thanks for the help. -- --------------------------------------------------------------- Dominick Glavach, Unix System Administrator glavach@ctc.com Concurrent Technologies Corporation 814/269-2469 -NCSA- --------------------------------------------------------------- From owner-firewalls-outgoing Fri May 2 06:40:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA22403 for firewalls-outgoing; Fri, 2 May 1997 06:30:26 -0700 (PDT) Received: from pandora.gsionline.com ([204.254.209.241]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA22369 for ; Fri, 2 May 1997 06:30:18 -0700 (PDT) Received: from PETER (PETER [204.254.209.22]) by pandora.gsionline.com (NTMail 3.02.09) with ESMTP id fa127847 for ; Fri, 2 May 1997 09:31:33 -0400 Message-Id: <3.0.1.32.19970502093047.0090c470@peter> X-Sender: nbk#204.254.209.2@peter X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 02 May 1997 09:30:47 -0400 To: "Dominick Glavach" From: Nick Keenan Subject: Re: Need to restrict http://www.nude.com and such Cc: firewalls@GreatCircle.COM In-Reply-To: <9705020843.ZM12945@sgi122.ctc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. There was an article in the wall street journal a few days ago about a company in massachusetts that maintains an exhaustive list, and rents it out to corporate companies. They have a staff that spends its days cruising the web and updating the list. I can't remember the name of the company, but it sounds like the best solution I have heard of to date. From owner-firewalls-outgoing Fri May 2 07:07:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24623 for firewalls-outgoing; Fri, 2 May 1997 06:47:35 -0700 (PDT) Received: from deere3-bh.dx.deere.com (deere3-bh.dx.deere.com [207.122.201.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA24614 for ; Fri, 2 May 1997 06:47:29 -0700 (PDT) Received: (from uucp@localhost) by deere3-bh.dx.deere.com (8.6.12/8.6.11) id IAA12169 for ; Fri, 2 May 1997 08:45:18 -0500 Received: from 192.43.1.3 by deere3-bh.dx.deere.com via smap (3.2) id xma012096; Fri, 2 May 97 08:45:02 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id IAA15631; Fri, 2 May 1997 08:48:22 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id IAA12443; Fri, 2 May 1997 08:48:21 -0500 Message-ID: <3369F0D7.1AD9D407@90.deere.com> Date: Fri, 02 May 1997 08:49:11 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: A DMZ Question X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In building a redundant DMZ. Can I have a NT workstation with two network cards connected to two different switches and still have the same name and IP address. I think I can do this with UNIX but can NT do the same? Got an example or reference? -----Switch ----- - R ---- NT ----Firewall ---- - -----Switch ----- I know I'm chasing decimal points when it comes to MTBF but that's the question. Tanks In Advance From owner-firewalls-outgoing Fri May 2 07:10:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26743 for firewalls-outgoing; Fri, 2 May 1997 07:06:12 -0700 (PDT) Received: from bdiwall0.bracco.com (bdiwall0.bracco.com [204.255.10.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA26726 for ; Fri, 2 May 1997 07:06:04 -0700 (PDT) Received: by bdiwall0.bracco.com; id KAA06909; Fri, 2 May 1997 10:06:35 -0400 Received: from unknown(204.255.10.36) by bdiwall0.bracco.com via smap (V3.1.1) id xma006906; Fri, 2 May 97 10:06:09 -0400 Received: from ccMail by bdigate0.bracco.com (IMA Internet Exchange 1.04b) id 369f3a90; Fri, 2 May 97 10:01:13 -0400 Mime-Version: 1.0 Date: Fri, 2 May 1997 10:07:11 -0400 Message-ID: <369f3a90@bracco.com> From: mcruz@bracco.com (Michael Cruz) Subject: Re[2]: Need to restrict http://www.nude.com and such To: glavach@ctc.com, Nick Keenan Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds like a great job. Surf for porn and get paid! What's the name of that company? I know a few guys that want to apply! :-) mike ______________________________ Reply Separator _________________________________ Subject: Re: Need to restrict http://www.nude.com and such Author: Nick Keenan at *Internet* Date: 5/2/97 9:30 AM >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. There was an article in the wall street journal a few days ago about a company in massachusetts that maintains an exhaustive list, and rents it out to corporate companies. They have a staff that spends its days cruising the web and updating the list. I can't remember the name of the company, but it sounds like the best solution I have heard of to date. From owner-firewalls-outgoing Fri May 2 07:25:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA21746 for firewalls-outgoing; Fri, 2 May 1997 06:26:26 -0700 (PDT) Received: from mail.vitro.com (gatekeeper.vitro.com [149.32.254.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA21693 for ; Fri, 2 May 1997 06:26:10 -0700 (PDT) From: Don_Tompkins@esd.tracor.com Received: by mail.vitro.com (5.65/DEC-Ultrix/4.3) id AA25779; Fri, 2 May 1997 09:27:23 -0400 Received: from esd.vitro.com(131.189.79.30) by gatekeeper.vitro.com via smap (V1.3) id sma025777; Fri May 02 09:27:14 1997 EDT Received: from ccMail by esd.tracor.com (IMA Internet Exchange 2.1 Enterprise) id 00001587; Fri, 2 May 97 09:29:41 -0400 Mime-Version: 1.0 Date: Fri, 2 May 1997 09:28:21 -0400 Message-Id: <00001587.1688@esd.tracor.com> Subject: Re[2]: Your website's "Findability" -- Search Engine Help To: Planet_Ocean@profitmaster.com, Warpy Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Amen. Maybe we clever security types could invent a dirty word search to deny the unwanted advertisement in the first place. Unfortunately (or maybe fortunately) free speech also includes unwanted speech. I have similar reactions to the junk that violates my snail mail box, but to date the only solution has been the trash can. ______________________________ Reply Separator _________________________________ Subject: Re: Your website's "Findability" -- Search Engine Help Author: Warpy at ESD Date: 5/1/97 3:16 PM Is it just me or does everyone get ticked off about these emails that say reply to make sure you DON'T get any further emails from us. Grrrrr... Warpy --------------------------------------------------- A great hack is accomplished before it has begun... (paraphrased from Sun Tzu) -[warpy@null.net]- http://castle.dyn.ml.org/~warpy --------------------------------------------------- From owner-firewalls-outgoing Fri May 2 07:25:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA27990 for firewalls-outgoing; Fri, 2 May 1997 07:13:20 -0700 (PDT) Received: from ns1.capgem.com (ns1.capgem.com [204.153.60.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA27900 for ; Fri, 2 May 1997 07:13:02 -0700 (PDT) Received: from dalex01.capgemini.com by ns1.capgem.com (5.x/SMI-SVR4) id AA04377; Fri, 2 May 1997 09:25:44 -0500 Received: by dalex01.capgemini.com with Internet Mail Service (5.0.1457.3) id ; Fri, 2 May 1997 09:16:23 -0500 Message-Id: <2132495A1094D011874400609730779104F779@dalnt032.capgemini.com> From: "Webb, Dean" To: Firewalls@GreatCircle.COM Subject: Firewall gone freaky Date: Fri, 2 May 1997 09:17:03 -0500 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to think all the messages sent to this list were made up until something interesting happened to me... All was well until Sunday morning at 6:11:11 AM, CST. That was the last piece of email we received from our Internet connection out east. It was from mailer-daemon at our_domain.com. (No, I did not get a chance to see it. Sorry.) After that, the BorderGuard firewall discarded all SMTP traffic heading to and from our network. The firewall is on a different network in a sister company. I'm here in the south and I could not monitor the firewall remotely. After noticing on Tuesday that I hadn't gotten ANY mail from the Internet since Sunday morn, I tracked things down to our sister company's firewall and got hold of a guy who could read the logs. He saw tons of traffic -much of it bound for and coming from my machine- being denied and discarded due to "Rule 57." Besides being ticked off that I couldn't send or receive my Internet mail, tons of other folks started bugging me about where their mission-critical email was. We were able to route the email through a different firewall closer to this site (which, although part of our company, has a different network address from the rest of the organization... hey, I didn't build this network, so don't get on my case about it...). Now that I'm getting Internet mail again, I got a few questions. The BorderGuard was installed out-of-the-box, configured only with our TCP/IP info. No rules regarding traffic were added or modified by any of us in either company since it was first set up. It was running fine until this last Sunday. What happened? Why did "rule 57" decide to go rouge on us? How can we look it up and modify it? Apparently, there is no command-line interface in BG, so how does one edit individual rules? (Or should one?) (BTW, I would *love* to RTFM, but it's roughly 1500 miles away and the sister company ain't letting it out of their sight or site. Any online BG info on usage, config, and t-shooting would be appreciated.) Any comments or requests for further information, public, private, or otherwise are fine with me, so long as they aren't sick, insane, illegal, dangerous, or obscene. Live free or die, Dean Webb Voltaire (1694-1778): "I may disagree with what you have to say, but I shall defend, to the death, your right to say it." From owner-firewalls-outgoing Fri May 2 07:40:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA00125 for firewalls-outgoing; Fri, 2 May 1997 07:26:22 -0700 (PDT) Received: from c2smtp.ontech.co.uk (c2smtp.ontech.co.uk [194.6.124.133]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA29916 for ; Fri, 2 May 1997 07:25:52 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.ontech.co.uk via Connect2-SMTP 4.01.b35B; Fri, 2 May 1997 15:27:44 +0100 Message-ID: <20216A3301450200@c2smtp.ontech.co.uk> Date: Fri, 2 May 1997 15:27:00 +0100 From: Geoff Malvisi Organization: ON Technology UK To: firewalls@greatcircle.com Subject: Re: CheckPoint vs Others MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-Mailer: Connect2-SMTP 4.01.b35B MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== Magossa'nyi A'rpa'd writes... > On Thu, 1 May 1997, Stan Wnuck wrote: > > So I figured I throw out some > > questions to the dogs to chew away on this idea so > > that I can remain open-minded. :) > Let it be. > > Check Point's product and it's direct resellers such > > as Soltice from SUN are stateful inspection technologies. > > The only two other technologies that I am aware of are: > > a. proxy services such as Raptor or Gauntlet > > b. packet filters > > #2 Are they as good as state-ful inspection? > It depends on usage. Someone had pointed out that stateful > inspection is something with the "what is not denied is allowed" > approach, and as such it is not appropriate for a firewall. I don't > know if it is even true, and either lost track of that thread, or > was no answer. Actually, when you start up FW-1 to build a ruleset, it supplies you with a "block everything" rule. If you build exceptions up from that rule, then you're working in the "what is not explicitly allowed is denied" rule. You *can* configure it otherwise, but it's FUD at best and lies at worst for someone to claim that that's the basic approach of the system. > > #3 Why should I use proxy services or packet filters if > > I can have stateful inspection? > If you don't know the details of the protocol, you will fall back to > packet filtering in stateful inspection. > I'm not sure if stateful inspection is able to handle if you want > to handle things in higher levels of the protocol. That's a good explanation. Things you can't do with stateful inspection include - URL-level filtering of http transfers - blocking of other "things" riding on top of http, like Java or ActiveX - allowing ftp PUT but not GET, or vice versa - virus scanning Checkpoint has been adding some of these features into FW-1 by adding proxies, making it sort of a hybrid product. I have mixed feelings about that, actually. I like the stateful inspection approach as a basic firewalling technology, and when possible I like to put my proxies on other hosts, because proxies can often have functions (like caching) that aren't really related to security. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies ======== Fwd by: Geoff Malvisi ======== The ON Guard firewall from ON Technology uses stateful inspection (all that is not explicitly allowed is denied) and offers URL and Java blocking. http://www.on.com I work for ON Technology, so I appologise in advance if I offend anyone who does not appreciate information from vendors. Have a great day From owner-firewalls-outgoing Fri May 2 07:55:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA04506 for firewalls-outgoing; Fri, 2 May 1997 07:52:58 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA04488 for ; Fri, 2 May 1997 07:52:52 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id HAA10734; Fri, 2 May 1997 07:53:44 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705021453.HAA10734@Xenon.Stanford.EDU> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Date: Fri, 2 May 1997 07:53:43 -0700 (PDT) Cc: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: <199705020658.XAA05530@althea.EBay.Sun.COM> from "Jerald Josephs" at May 1, 97 11:58:42 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jerald Josephs writes: > > > > > > > Anyway, when Solaris 2.6 comes out soon, I believe it will include DHCP > > and Variable-Length Subnet Masking (VLSM) support. Having just purchased this from Sun and having just spoken with their rep. I think you may be in error re: VLSM. > > 2] How will VLSM make firewalling administration any easier/better ? > > > > No, but it will make it easier to subnet your intranet without > loosing precious IP addresses to a subnet without enough > hosts to use all of the addresses. ? I don't understand this last sentence. My exposure to VLSM indicates that it has nothing to do with subnetting your intranet. I ran into this problem when trying to route with rip. Specifically, Sun's implementation of the routing socket interface is not the industry standard. In other words, when you use a Sun machine as a multi-homed host with subnetted networks the rip updates are incorrect. The routers that we used had no problems at all in dealing with the subnetted networks, therefore while we were able to subnet our intranet we had problems with using Sun's as any type of router. mj From owner-firewalls-outgoing Fri May 2 08:10:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA02940 for firewalls-outgoing; Fri, 2 May 1997 07:43:14 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA02933 for ; Fri, 2 May 1997 07:43:08 -0700 (PDT) Received: from clonvick-pc.cisco.com ([171.68.41.80]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA22964; Fri, 2 May 1997 07:44:47 -0700 (PDT) Message-Id: <2.2.32.19970502144128.006f61d4@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 09:41:28 -0500 To: "Dominick Glavach" , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Dominick, I assume that your company policy is to prevent your people from getting/displaying/looking-at "dirty pictures" while on company time and/or while using company equipment. From your question, I see that you're looking for ways to enforce your policy. As far as I know, there are two general methods of enforcing your policy. - making the consequences of failure to comply with the policy a very high cost (like termination) - finding ways to make it difficult for your users to violate the policy Exclusively going down path #2, effectively tells your people that it's OK to continue trying to find the "dirty pictures", and that you're going to be in a very reactive mode to try to keep one step ahead of them - usually doesn't work. I've also seen some of these solutions not work exactly as planned. I can't remember the product now, but if the keyword was in the URL, then you couldn't retrieve it. As an example, people looking for sextants could not access any pages with that name it in because it contained the keyword "sex". This concept will probably not work well in specific industries, anyway. I'm sure that doctors in hospitals _should_ be allowed to look for information on "sexually transmitted diseases". I've seen some companies exclusively use path #1. This has been VERY successful for some of them... well, after the first dozen or so were fired for violating the policy. If you can get this accepted at high levels, then you'll need to review your logs and report any failures to comply. This is much easier on yourself than trying to keep up with the hundreds of new sites added daily. You company may decide that this is a much more effective use of your time as well. When you're writing your policy, keep in mind that accidents do happen; people will click on URLs not knowing what will be deliverd - but not 247 times in a row. In any event, there are some companies that maintain "lists" of URLs. You should find out their criteria for placing them on their lists before you apply them to your company. Here are two that I know of, I'm sure there are more. Surfwatch at http://www.surfwatch.com/ NetNanny at http://www.netnanny.com/netnanny/home.html Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 08:43 AM 5/2/97 -0400, Dominick Glavach wrote: >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. > > >-- > >--------------------------------------------------------------- >Dominick Glavach, Unix System Administrator glavach@ctc.com >Concurrent Technologies Corporation 814/269-2469 > -NCSA- >--------------------------------------------------------------- > > From owner-firewalls-outgoing Fri May 2 08:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08853 for firewalls-outgoing; Fri, 2 May 1997 08:15:38 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08766 for ; Fri, 2 May 1997 08:15:08 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55554-1>; Fri, 2 May 1997 17:14:22 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Fri, 02 May 1997 17:16:27 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wNK8C-002QmKC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 2 May 1997 17:20:20 +0200 (MET DST) Date: Fri, 2 May 1997 16:20:20 +0100 From: "Magossa'nyi A'rpa'd" To: Mike Jones CC: swnuck@unixpros.com, firewalls@GreatCircle.COM Subject: stateful inspection (was: CheckPoint vs Others) In-Reply-To: <199705021215.IAA28043@bass.unifiedtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Mike Jones wrote: > > =09It depends on usage. Someone had pointed out that stateful > > =09inspection is something with the "what is not denied is allowed" > > =09approach, and as such it is not appropriate for a firewall. I don't > > =09know if it is even true, and either lost track of that thread, or > > =09was no answer. >=20 > Actually, when you start up FW-1 to build a ruleset, it supplies you with > a "block everything" rule. If you build exceptions up from that rule, > then you're working in the "what is not explicitly allowed is denied"=20 > rule. You *can* configure it otherwise, but it's FUD at best and lies at > worst for someone to claim that that's the basic approach of the system. Do you mean you can explicitly define in every protocol which states/state transitions are allowed and which not? --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Fri May 2 08:39:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12804 for firewalls-outgoing; Fri, 2 May 1997 08:33:11 -0700 (PDT) Received: from cerberus2.fon.sprintcorp.com (cerberus2.fon.sprintcorp.com [204.215.0.61]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA12620 for ; Fri, 2 May 1997 08:32:22 -0700 (PDT) From: BLeBlanc@igate.sprint.com Received: by cerberus2.fon.sprintcorp.com; id KAA11029; Fri, 2 May 1997 10:33:52 -0500 (CDT) Received: from fonkc28.fon.sprintcorp.com(144.223.19.54) by cerberus2.fon.sprintcorp.com via smap (3.2) id xma011008; Fri, 2 May 97 10:33:45 -0500 Received: FROM FONIMAIL.fonkc28.fon.sprintcorp.com BY fonkc28.fon.sprintcorp.com ; 2 MAY 97 10:33:43 CDT Date: 2 MAY 97 10:20:19 CDT Subject: RE: Need to restrict http://www.nude.com and such To: firewalls@greatcircle.com Message-ID: <0007jjzjtpxd.H000012201e0bc53@igate.sprint.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are several products that perform this function. Each has pros/cons, and different features. The ones I know of are: CyberSitter, NetNanny, SurfWatch, The Internet Filter, and CyberPatrol. Typically they blocks content that can be separated in to either graphics or text, and can filter on: Violence, Profanity, Full/Partial Nudity, Cult, Drugs, etc. It's not that off-topic since firewall vendors have started including this type of service as an optional feature into their products. Regards, ***************************************************************** Bob LeBlanc, Product Manager, Sprint IP Security bleblanc@igate.sprint.com >>USUAL DISCLAIMERS APPLY << The views expressed are purely my own, blah blah blah ***************************************************************** ______________________________ Reply Separator _________________________________ Subject: Re: Need to restrict http://www.nude.com and such Author: Nick Keenan at *Internet* Date: 5/2/97 9:30 AM >I know this is slightly off topic but I have need some advise or some products >that will restrict http access to sites such as www.porn.com. Aside from >building an exhaustive list on my proxy what else can I do. Thanks for the >help. From owner-firewalls-outgoing Fri May 2 09:11:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA14816 for firewalls-outgoing; Fri, 2 May 1997 08:43:46 -0700 (PDT) Received: from bigdipper.iagi.net (bigdipper.iagi.net [207.32.101.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA14766 for ; Fri, 2 May 1997 08:43:34 -0700 (PDT) Received: from localhost (daveyb@localhost) by bigdipper.iagi.net (8.8.3/8.6.9) with SMTP id LAA00962; Fri, 2 May 1997 11:45:04 -0400 (EDT) Date: Fri, 2 May 1997 11:45:04 -0400 (EDT) From: "David A. Baldwin" To: Michael Cruz cc: glavach@ctc.com, Nick Keenan , firewalls@GreatCircle.COM Subject: Re: Re[2]: Need to restrict http://www.nude.com and such In-Reply-To: <369f3a90@bracco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor works with a company called Microsystems Software, Inc. to include functionality for a product called CyberNOT into their firewall product. This product is essentialy a list of URLs split into categories such as Full Nudity and Partial Nudity and Violence, etc... I am certain that you could incorporate this into any WWW proxy that you may be using. David Baldwin On Fri, 2 May 1997, Michael Cruz wrote: > Sounds like a great job. Surf for porn and get paid! What's the name > of that company? I know a few guys that want to apply! :-) > > mike > > > ______________________________ Reply Separator _________________________________ > Subject: Re: Need to restrict http://www.nude.com and such > Author: Nick Keenan at *Internet* > Date: 5/2/97 9:30 AM > > > >I know this is slightly off topic but I have need some advise or some > products > >that will restrict http access to sites such as www.porn.com. Aside from > >building an exhaustive list on my proxy what else can I do. Thanks for the > >help. > > There was an article in the wall street journal a few days ago about a > company in massachusetts that maintains an exhaustive list, and rents it > out to corporate companies. They have a staff that spends its days > cruising the web and updating the list. I can't remember the name of the > company, but it sounds like the best solution I have heard of to date. > From owner-firewalls-outgoing Fri May 2 09:20:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA16673 for firewalls-outgoing; Fri, 2 May 1997 08:56:21 -0700 (PDT) Received: from yakko.chicks.net (yakko.chicks.net [205.166.143.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA16659 for ; Fri, 2 May 1997 08:56:14 -0700 (PDT) Received: from localhost (chicks@localhost) by yakko.chicks.net (8.7.4/8.7.3) with SMTP id LAA07420; Fri, 2 May 1997 11:57:52 -0400 X-Authentication-Warning: yakko.chicks.net: chicks owned process doing -bs Date: Fri, 2 May 1997 11:57:52 -0400 (EDT) From: Christopher Hicks To: Nick Keenan cc: Dominick Glavach , firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <3.0.1.32.19970502093047.0090c470@peter> Message-ID: Organization: Flamingo Internet Navigators MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Nick Keenan wrote: > > I know this is slightly off topic but I have need some advise or some > > products that will restrict http access to sites such as www.porn.com. > > Aside from building an exhaustive list on my proxy what else can I do. > > There was an article in the wall street journal a few days ago about a > company in massachusetts that maintains an exhaustive list, and rents it > out to corporate companies. They have a staff that spends its days > cruising the web and updating the list. I can't remember the name of the > company, but it sounds like the best solution I have heard of to date. That really isn't a solution to the problem, though. Some sites contain good and bad stuff. Some sites are pirated into containing bad stuff. Sites come and go like wildfire. A couple of companies actually do content-oriented restrictions. They analyze using "super secret algorithms" whether or not the content is allowed or not. The basic idea is that certain words and combinations of words can with some context make a site rate as unviewable. No lists to maintain. Pornography isn't the only thing corporations have to worry about, though. Playing Java Tetris, sitting in chat rooms, etc. are all things corporations and governments will ultimately want to prohibit. It becomes obvious quickly that lists are not practical. The only list that might be practical is an "allowed" list. And given site-piracy that would still let some smut through. Those who cannot remember the past are doomed to buy Microsoft products. From owner-firewalls-outgoing Fri May 2 09:25:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA12665 for firewalls-outgoing; Fri, 2 May 1997 08:32:37 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA12593 for ; Fri, 2 May 1997 08:32:14 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp4.cisco.com [171.68.146.25]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id RAA20221; Fri, 2 May 1997 17:32:03 +0200 (METDST) Message-Id: <2.2.32.19970502173052.006af53c@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 17:30:52 +0000 To: newman!jonesmd@uunet.uu.net (Mike Jones), swnuck@unixpros.com, mag@bunuel.tii.matav.hu From: Eric Vyncke Subject: Re: CheckPoint vs Others Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:15 2/05/97 -0400, Mike Jones wrote: >Magossa'nyi A'rpa'd writes... >> On Thu, 1 May 1997, Stan Wnuck wrote: >> > So I figured I throw out some >> > questions to the dogs to chew away on this idea so >> > that I can remain open-minded. :) >> > #3 Why should I use proxy services or packet filters if >> > I can have stateful inspection? >> If you don't know the details of the protocol, you will fall back to >> packet filtering in stateful inspection. >> I'm not sure if stateful inspection is able to handle if you want >> to handle things in higher levels of the protocol. > >That's a good explanation. Things you can't do with stateful inspection >include > - URL-level filtering of http transfers > - blocking of other "things" riding on top of http, like Java or ActiveX > - allowing ftp PUT but not GET, or vice versa > - virus scanning I guess that at least Checkpoint and Cisco PIX for sure (see my affiliation ! :-) ) can do more than just statefull inspection at layers 3 and 4. They can also check at layer 7: thus allowing special tricks like NAT (Network Address Translation), JAVA applet blocking, possibly filter by URL. As usually such a firewall is built to process packets in a FAST way, they refrain to lookup in all TCP payloads only in the very first ones. This is not a design flaw but rather a design choice: performance against granularity of control. >Checkpoint has been adding some of these features into FW-1 by adding >proxies, making it sort of a hybrid product. I have mixed feelings about >that, actually. I like the stateful inspection approach as a basic firewalling >technology, and when possible I like to put my proxies on other hosts, >because proxies can often have functions (like caching) that aren't really >related to security. Web caching is more a performance problem than a security one :-) So, you can add a Web cache along a stateful inspection filter to get both of two worlds. Eric > >-- > Mike Jones > Sr. Technical Advisor > UNIFIED Technologies > Eric Vyncke Internet, security consultant Cisco Systems Belgium SA/NV /------------------------------------\ Phone: +32-2-778.4677 | Networks bring | Fax: +32-2-778.4300 | people | E-mail: evyncke@cisco.com | together... | Mobile: +32-75-312.458 \------------------------------------/ From owner-firewalls-outgoing Fri May 2 10:11:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24516 for firewalls-outgoing; Fri, 2 May 1997 09:45:22 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA24467 for ; Fri, 2 May 1997 09:45:08 -0700 (PDT) Received: from sunat.gob.pe ([161.132.37.4]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id JAA24924 for ; Fri, 2 May 1997 09:48:20 -0700 (PDT) Received: from lima.sunat.gob.pe ([150.200.100.51]) by firesun.sunat.gob.pe with SMTP id <32261-1>; Fri, 2 May 1997 11:46:23 -0500 Received: by lima.sunat.gob.pe with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC56EE.1C6C3530@lima.sunat.gob.pe>; Fri, 2 May 1997 11:43:53 -0500 Message-ID: From: "Carlos Tay Damaso (Req San Isidro)" To: "'firewalls@GreatCircle.COM'" Subject: RV: PROBLEM.... Date: Fri, 2 May 1997 12:06:43 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >De: Carlos Tay Damaso >Enviado: Jueves, Abril 24, 1997 0:35 AM >Para: 'firewalls@GreatCircle.COM' >Asunto: PROBLEM.... >Importancia: Alta > >I have a Borderware Firewall Relase 4.01 >The problem is : >In my LAN i have a default router (3com Netbuilder II), to which hosts point >all traffic and in the same segment of the LAN i have my Firewall. >My hosts normally reaches internal networks through of my default router, and >reaches the INTERNET through the Firewall.If the Path between default router >and Internal network is disrupted, the routes in my hosts (UNIX, NT,) change >to the firewall. and then in a few minutes the firewall is hangup. > >Please help me... > >send me your solution to : dcarlos@sunat.gob.pe >Thanks... > From owner-firewalls-outgoing Fri May 2 10:24:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24086 for firewalls-outgoing; Fri, 2 May 1997 09:42:49 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA23990 for ; Fri, 2 May 1997 09:42:25 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id SAA11354 for ; Fri, 2 May 1997 18:44:51 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00977; Fri, 2 May 97 18:46:50 +0200 Message-Id: <9705021646.AA00977@tidtest.total.fr> To: firewalls@greatcircle.com Subject: Multiple Internet connections and multiple DMZs X-Cuse: "The dog ate my network" Date: Fri, 02 May 1997 18:46:49 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm toying with the idea of having multiple Internet connections, each with its own firewall and DMZ, and I'm wondering whether anyone else has done this already, and what services are worth replicating or distributing across DMZs. Some background : - There would be a half-dozen Internet connections, spread across the world. Each would have its own firewall and DMZ, and would be connected to a local network. - Local networks are connected to CHQ through 64-256K links. - Likely candidates for distribution are incoming mail (proxied), outgoing mail (proxied), incoming news (proxied or tunneled), outgoing news (proxied or tunneled), access to outside WEB servers (proxied) and outside access to a public WEB server (located in the DMZ). I'm looking for info on what (if any) services are worth the effort, and what the initial configuration and maintenance would require. advTHANKSance Michel Lavondes (lavondes@tidtest.total.fr), speaking only for himself Lord, grant me : - the serenity to accept the things I cannot change - the courage to change the things I can - the wisdom to hide the bodies of those I had to kill because they pissed me off -- Author unknown From owner-firewalls-outgoing Fri May 2 11:10:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04886 for firewalls-outgoing; Fri, 2 May 1997 11:02:27 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA04861 for ; Fri, 2 May 1997 11:02:08 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Fri, 2 May 1997 14:04:05 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id OAA28142; Fri, 2 May 1997 14:02:16 -0400 Date: Fri, 2 May 1997 14:02:16 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199705021802.OAA28142@bass.unifiedtech.com> To: mag@bunuel.tii.matav.hu Subject: Re: stateful inspection (was: CheckPoint vs Others) Cc: swnuck@unixpros.com, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: Ig8I/RtguScpg4etWszomQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Magossa'nyi A'rpa'd writes... > On Fri, 2 May 1997, Mike Jones wrote: > > > It depends on usage. Someone had pointed out that stateful > > > inspection is something with the "what is not denied is allowed" > > > approach, and as such it is not appropriate for a firewall. I = don't > > > know if it is even true, and either lost track of that thread, or > > > was no answer. > > Actually, when you start up FW-1 to build a ruleset, it supplies you = with > > a "block everything" rule. If you build exceptions up from that = rule, > > then you're working in the "what is not explicitly allowed is = denied"=20 > > rule. You *can* configure it otherwise, but it's FUD at best and = lies at > > worst for someone to claim that that's the basic approach of the = system. > Do you mean you can explicitly define in every protocol which = states/state > transitions are allowed and which not? In at least a limited sense, yes. I'm not completely clear on what you mean by "state transitions". FireWall-1 deals with network objects and protocols, where a network object may be - a host - a network - a group of hosts and/or networks The rules are of the form and identify what action should be taken upon encountering traffic of the specified protocol between the specified source and destination objects. The may be allow, drop, or authenticate.=20 -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From owner-firewalls-outgoing Fri May 2 11:47:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA02558 for firewalls-outgoing; Fri, 2 May 1997 10:40:54 -0700 (PDT) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA02484 for ; Fri, 2 May 1997 10:40:28 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.7.5/8.6.12) id NAA02203; Fri, 2 May 1997 13:41:50 -0400 (EDT) Received: from unknown(146.127.39.20) by lehman via smap (V1.3) id tmp002197; Fri May 2 13:41:22 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA18278; Fri, 2 May 97 13:41:20 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17920; Fri, 2 May 97 13:41:10 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id NAA02682; Fri, 2 May 1997 13:41:09 -0400 Date: Fri, 2 May 1997 13:41:09 -0400 Message-Id: <199705021741.NAA02682@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Marc D. Jackson" Cc: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs), firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts In-Reply-To: <199705021453.HAA10734@Xenon.Stanford.EDU> References: <199705020658.XAA05530@althea.EBay.Sun.COM> <199705021453.HAA10734@Xenon.Stanford.EDU> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having received 2.6 beta refresh, I can state with certainty that Solaris 2.6 _does_ have VLSM support. And DHCP support. And a berkeley 4.4 routing socket. And NTP. And.... Who-ho! -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Fri May 2 12:05:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA03220 for firewalls-outgoing; Fri, 2 May 1997 10:45:54 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA03203 for ; Fri, 2 May 1997 10:45:35 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.11) id ; Fri, 2 May 1997 13:46:50 -0400 Message-ID: From: Russ To: "'Firewalls Mailing List'" Subject: Inbound/Outbound roles of Firewalls Date: Fri, 2 May 1997 13:46:47 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.11) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a question for you all. ~~~~~~~~ +------------+ { } | | { Internet }<-->+ Firewall-1 +<------------+ { } | B | | ~~~~~~~~ +-----+------+ v ^ ~~~~~~~~~~~ | { Corporate } | { } | { LAN } v ~~~~~~~~~~~ ~~~~~~~~ ~~~~~~~~ +-----+------+ ^ { Branch } { } | | | { Office }<-->{ VPN }<-->+ Firewall-1 +<------------+ { LAN } { } | A | ~~~~~~~~ ~~~~~~~~ +------------+ Ok, so let's assume that the VPN is a Firewall-1 to Firewall-1 encrypted tunnel. Clients from the VPN want to access the Server Farm, and Clients from the Internet want to access the Server Farm (using SecuRemote). *BUT*, Clients also want to access the Internet via the VPN to Firewall A then through Firewall B to the Internet (and vice-versa) My question is this. When a Client wants to go to the Internet, they will be treated as an inbound connection on Firewall A, but an outbound connection on Firewall B. Same is true in reverse for Clients coming from the Internet who want to get to the LAN on the other side of the VPN. I'm thinking that using "established" as a basis for return paths for outbound connections isn't going to work here, and in addition, the port assignments are going to be screwy. A Client from the VPN attempts to establish an HTTP connection with a public web server on the Internet. They attempt an inbound port 80 connect on Firewall A. It passes the request through to Firewall B, which in turn passes it through as an outbound connection request to the Internet. The web server assigns a port to the connection, and Firewall B treats it like an "established" connection and allows it through, then sends it on to Firewall A. What would Firewall A do with this as it would not appear to be an outbound connection request?? Don't ask why I'm using two Firewalls, as the question only has to do with using two Firewalls. I realize I could use only one. They are not there to provide redundancy as the Branch Office LAN will not be exposed directly to the Internet. What I'd like to hear about is the idea of using "internal trusted" networks on the Firewall as potentially trusted and untrusted networks. The idea of outbound packets (from the Firewall's perspective) actually being inbound packets (from the trusted LANs perspective) and vice-versa. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html From owner-firewalls-outgoing Fri May 2 12:11:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA02181 for firewalls-outgoing; Fri, 2 May 1997 10:37:39 -0700 (PDT) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA02055 for ; Fri, 2 May 1997 10:37:06 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.7.5/8.6.12) id NAA02097; Fri, 2 May 1997 13:38:30 -0400 (EDT) Received: from unknown(146.127.39.20) by lehman via smap (V1.3) id tmp002094; Fri May 2 13:38:25 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA17859; Fri, 2 May 97 13:38:24 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17744; Fri, 2 May 97 13:38:23 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id NAA02630; Fri, 2 May 1997 13:38:22 -0400 Date: Fri, 2 May 1997 13:38:22 -0400 Message-Id: <199705021738.NAA02630@dragon.lehman.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Bertrum Carroll Cc: firewalls@GreatCircle.com Subject: Re: A DMZ Question In-Reply-To: <3369F0D7.1AD9D407@90.deere.com> References: <3369F0D7.1AD9D407@90.deere.com> X-Mailer: VM 6.27 under 20.1 XEmacs Lucid (beta8) Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use 2 IP addresses on the NT box and the Firewall (and put both in DNS, or your config files, or whatever). Having the same IP address on 2 interfaces is probably not the way to go. -- -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From owner-firewalls-outgoing Fri May 2 12:21:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA27366 for firewalls-outgoing; Fri, 2 May 1997 10:04:45 -0700 (PDT) Received: from mail.gestronic.ch ([193.246.62.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA27211 for ; Fri, 2 May 1997 10:04:10 -0700 (PDT) Received: from rsleiman (sleiman.gestronic.ch [193.246.62.100]) by mail.gestronic.ch (8.8.5/8.8.5) with ESMTP id TAA01750 for ; Fri, 2 May 1997 19:01:39 +0200 (MET DST) Message-ID: <336A207B.116171C@gestronic.ch> Date: Fri, 02 May 1997 19:12:27 +0200 From: Raymond Sleiman Reply-To: Raymond.Sleiman@gestronic.ch Organization: Gestronic Groupe X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: Firewall 1 version 2.1 on Solaris X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------7497287AA15F0EA80D405D17" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------7497287AA15F0EA80D405D17 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, I have the following message when i try to install rules in inspection module acting as a internet gateway: "Peer asked for deny Authentication but i want fwa1 authentication. Authentication for command load failed. Failed to load security policy on name of the gateway: unauthorized action." Could someone tell me what it could be the problem and how to resolve the problem. -- _________________________________________________________ Raymond Sleiman Systems Integration Manager GESTRONIC S.A Phone # +41 22 342 71 50 25 rue jacques grosselin Fax # +41 22 343 91 16 1227 Carouge Geneve Mobile # +41 79 200 81 03 Switzerland Direct # +41 22 342 25 27 email: Raymond.Sleiman@gestronic.ch X400:/S=Sleiman/O=Gestronic/P=SWITCH/A=ARCOM/C=ch/@chx400.switch.ch >>>> Visit us on the WEB http://www.gestronic.ch <<<< >>>> Visit our Job page http://www.gestronic.ch/jobs.html <<<< _________________________________________________________ --------------7497287AA15F0EA80D405D17 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Raymond.Sleiman@gestronic.ch Content-Disposition: attachment; filename="vcard.vcf" begin:vcard fn:Raymond.Sleiman@gestronic.ch n:;Raymond.Sleiman@gestronic.ch adr:;;;;;; email;internet:Raymond.Sleiman@gestronic.ch tel;work: tel;fax: tel;home: x-mozilla-cpt:;0 x-mozilla-html:FALSE end:vcard --------------7497287AA15F0EA80D405D17-- From owner-firewalls-outgoing Fri May 2 12:25:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15315 for firewalls-outgoing; Fri, 2 May 1997 12:19:19 -0700 (PDT) Received: from castles.com (sparc1.castles.com [199.4.103.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA15161 for ; Fri, 2 May 1997 12:18:43 -0700 (PDT) Received: from jmcbrea.castles.com ([205.185.80.10]) by castles.com (5.x/SMI-SVR4/CASTLES) id AA29634; Fri, 2 May 1997 12:14:19 -0700 Message-Id: <2.2.32.19970502192222.00731904@sparc1.castles.com> X-Sender: jmcbrea@sparc1.castles.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 12:22:22 -0700 To: firewalls@greatcircle.com From: John McBrearty Subject: Re: CheckPoint vs Others Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer believes that Stan Wnuck wrote: >We are presently evaluating Check-Point's Fire-Wall 1. > If you are considering Firewall-1 you should be aware that Checkpoint has apparently recently instituted a "hard" policy of off-loading all support to VARs. I had called their tech support with some questions about a month ago and got them readily answered, no problem. I called again last week with some questions and could only get as far as a message that I had to contact my VAR. I also tried sending email to Checkpoint and got back a message saying the same thing. I then called the VAR (to whom we had originally been referred by Checkpoint) with my questions; he said he preferred to work by email and would get back to me that way. The VAR's response mostly consisted of a quoted generic reply from a Checkpoint representative which didn't address the specific questions I had asked. Giving the VAR the benefit of the doubt, I restated my questions in email and asked for more specific information. That was two days ago and I have yet to receive a reply. I know that Cisco's PIX box, for instance, has received varying reviews from people on this list. But when you need tech support information from Cisco there are a variety of ways to get it; and I have found their support people always willing to do what it takes to solve problems. It beats a voice mail message saying "Go to your VAR." John McBrearty Pleasant Hill, CA 94523 510-974-9171 jmcbrearty@usa.net From owner-firewalls-outgoing Fri May 2 12:56:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29804 for firewalls-outgoing; Fri, 2 May 1997 10:24:26 -0700 (PDT) Received: from greta.teleport.com (sandra.teleport.com [192.108.254.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA29790 for ; Fri, 2 May 1997 10:24:18 -0700 (PDT) Received: from linda.teleport.com (linda.teleport.com [192.108.254.12]) by greta.teleport.com (8.8.5/8.7.3) with ESMTP id KAA13698; Fri, 2 May 1997 10:25:45 -0700 (PDT) Received: (from alano@localhost) by linda.teleport.com (8.8.5/8.8.4) id KAA14237; Fri, 2 May 1997 10:25:25 -0700 (PDT) Date: Fri, 2 May 1997 10:25:24 -0700 (PDT) From: Alan To: Dominick Glavach cc: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <9705020843.ZM12945@sgi122.ctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Dominick Glavach wrote: > I know this is slightly off topic but I have need some advise or some products > that will restrict http access to sites such as www.porn.com. Aside from > building an exhaustive list on my proxy what else can I do. Thanks for the > help. Try finding the wire leading from your firewall out to the Internet. Take a large pair of wire cutters and cut that wire. (Be careful not to confuse the power cord with this wire.) Filters are semi-useful at best. Since any of these filters can be bypassed by web proxies, you will only filter out the more clueless of your userbase. (Middle managers and sales people and the like.) You are better off either cutting off access to the net to all (or most) of your users or deal with problems as they occur. I have seen actions like this taken before. Someone in management gets a hair up their ass about "people for surfing for porn at work", and instead of doing something that would require real hands on involvement, make a request that puts the burden on another department. This sort of management has all sorts of ramifications that are never taken into account. It shows that management does not trust them. It makes the lives of those who do need to use the net more difficult. (Especially since many of these filters are overbroad and restrict legit sites.) It also breeds contempt for both management and IS. All in all, not the best situation. If you are really wanting to deal with the "problem", I suggest using a log on your web proxy and then deal with people who abuse the situation. Filtering will cause more hastles than they will solve. From owner-firewalls-outgoing Fri May 2 13:10:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07532 for firewalls-outgoing; Fri, 2 May 1997 11:19:43 -0700 (PDT) Received: from vax01.newman.com (newman.com [152.160.11.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA07496 for ; Fri, 2 May 1997 11:19:17 -0700 (PDT) Received: by vax01.newman.com (UCX V2.0-15) Fri, 2 May 1997 14:21:04 -0400 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id OAA28149; Fri, 2 May 1997 14:19:23 -0400 Date: Fri, 2 May 1997 14:19:23 -0400 From: jonesmd@newman (Mike Jones) Message-Id: <199705021819.OAA28149@bass.unifiedtech.com> To: newman!jonesmd@uunet.uu.net, swnuck@unixpros.com, mag@bunuel.tii.matav.hu, evyncke@cisco.com Subject: Re: CheckPoint vs Others Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: CcSVhz3Hqa9bGICoRmj5jg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Vyncke writes... > At 08:15 2/05/97 -0400, Mike Jones wrote: > >Magossa'nyi A'rpa'd writes... > >> On Thu, 1 May 1997, Stan Wnuck wrote: > >> > So I figured I throw out some > >> > questions to the dogs to chew away on this idea so > >> > that I can remain open-minded. :) > >> > #3 Why should I use proxy services or packet filters if > >> > I can have stateful inspection? > >> If you don't know the details of the protocol, you will fall back = to > >> packet filtering in stateful inspection. > >> I'm not sure if stateful inspection is able to handle if you want > >> to handle things in higher levels of the protocol. > >That's a good explanation. Things you can't do with stateful = inspection > >include > > - URL-level filtering of http transfers > > - blocking of other "things" riding on top of http, like Java or = ActiveX > > - allowing ftp PUT but not GET, or vice versa > > - virus scanning > I guess that at least Checkpoint and Cisco PIX for sure (see > my affiliation ! :-) ) can do more than just statefull inspection > at layers 3 and 4. They can also check at layer 7: thus > allowing special tricks like NAT (Network Address Translation), > JAVA applet blocking, possibly filter by URL.=20 NAT can (and probably should, for performance) happen at layer 3. I don't know about the PIX, but FW-1 does Java blocking by adding an HTTP proxy, producing the hybrid stateful inspection/proxy configuration I=20 mentioned in an earlier message. Frankly, I'd rather put that stuff on a separate proxy server inside the firewall that could also do caching. =20 > >Checkpoint has been adding some of these features into FW-1 by adding = =20 > >proxies, making it sort of a hybrid product. I have mixed feelings = about > >that, actually. I like the stateful inspection approach as a basic=20 firewalling > >technology, and when possible I like to put my proxies on other = hosts,=20 > >because proxies can often have functions (like caching) that aren't = really > >related to security. > Web caching is more a performance problem than a security one :-) > So, you can add a Web cache along a stateful inspection filter > to get both of two worlds. Right, but going through *two* proxies doesn't sound like a good idea from a performance perspective. If I'm only going to have one proxy, then I'd rather have it off the firewall than adding non-security proxy functions to the firewall. Admittedly, this is a religious issue. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From owner-firewalls-outgoing Fri May 2 13:22:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA14133 for firewalls-outgoing; Fri, 2 May 1997 12:11:10 -0700 (PDT) Received: from austin.flashcast.com (austin.flashcast.com [207.238.207.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13997 for ; Fri, 2 May 1997 12:10:21 -0700 (PDT) Received: from calesm-cn3.ncr.com ([149.25.22.153]) by austin.flashcast.com (post.office MTA v2.0 0813 ID# 0-16975) with SMTP id AAA194; Fri, 2 May 1997 15:14:36 -0400 X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: calesm@flashcast.com (Mike Cales) To: "'firewalls@greatcircle.com'" , "'ntsecurity@iss.net'" Subject: Re: [NTSEC] RE: L0pht Scanning - Beware Date: Fri, 2 May 1997 15:06:29 -0400 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BC570A.69CC08C0" X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Message-ID: <19970502191433267.AAA194@calesm-cn3.ncr.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BC570A.69CC08C0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable >From the person who was a teen-age hacker and is now a computer = professional. I can remember waht we did in the good 'ole days. We = scanned and we scanned and we scanned Phone numbers. the rule of = legality as we understood it was, you can call a number once. Perfectily = legal. If you call it more than once it is harrassment. regardless if a = person or computer answered. On one occasion my friend was not exactly = caught "scanning" but someone said they were recieveing harrassing phone = calls, a.e. my friends modem. and his parents were contacted by the = authorieties and it was explaned away as a computer program he was = writing had a glitch in, nothing happend. no adays companies at least = smart companies have remote access methods which a casual scanner will = not pick up on such as you dial a number then enter in a specified = access number then you get a carrier tone. So scanning is now defunct = except by the lonly dumb or persistant hacker. We can't we adopt this = metaphore. a program connects via a port, enters in a access code then = the communication is allowed. sorta like a password. of couse encryption = and misc. other things will have to be implemented. but it would work, = no one would car if there ports were being scanned, and hackers would = stop it. Common world analogies to door and windows do not apply in this = situation. You must think a little more narrowly. ask yourself this = question how is this hurting me? Do I feel as if I have been violated? = The answer to both is No. The fun part of hacking is getting in the = system, I never destroyed any system except systems of my own. But more = than simple hackers trying to get in your computer. hackers in general = are not a problem the problem is when you have someone on the other end = of the port scan who may be considered a "industrial esponige" expert, = but then again they wouldn't go throught the hassle they would just get = a job as a janator where there is no/very little security and just take = the hard drive....a lot less traceable. ....enough ranting about a dumb = subject. ... -Mike ---- From: Bill Stout To: 'firewalls@greatcircle.com'; 'ntsecurity@iss.net' Date: Wednesday, April 30, 1997 9:13 AM Subject: Re: [NTSEC] RE: L0pht Scanning - Beware At 12:04 AM 4/28/97 -0700, Dennis Roberts wrote: >hackers is out to get you. If someone breaks into your house and you >call the police and they do nothing what are you going to do? I bet = you >would maybe buy a gun, or get an alarm system, or do something to >increase your security! Stop bitchin' and learn from them. I think I Someone broke into my Dad's house once, but it never dawned on me until = now that they were doing him a favor. I feel so stupid for wanting to lynch = the thief, thinking that society would be better off without their future actions or from their genes polluting the homosapien gene pool. Ant to = think that IMHO, our overly liberalist* society actually supports the breeding = of the stupid, lazy and criminal! (Note: Sarcasm) *(not to be confused with libetarian) A cop or security guard on the beat checking locks, or a neighbor seeing another's door ajar is a good thing. Someone telling me that my door = latch from 'X' corp is defective, and that I should repace it is a good thing. Entering my house, examining my belongings and spray-painting on the = walls to prove a point about my door having a 'brute force' weakness is a bad = thing. Bill Stout ------=_NextPart_000_01BC570A.69CC08C0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

From the person who was a teen-age hacker and is now a computer = professional.=20 I can remember waht we did in the good 'ole days. We scanned and we = scanned and=20 we scanned Phone numbers. the rule of legality as we understood it was, = you can=20 call a number once. Perfectily legal. If you call it more than once it = is=20 harrassment. regardless if a person or computer answered. On one = occasion my=20 friend was not exactly caught "scanning" but someone said they = were=20 recieveing harrassing phone calls, a.e. my friends modem. and his = parents were=20 contacted by the authorieties and it was explaned away as a computer = program he=20 was writing had a glitch in, nothing happend. no adays companies at = least smart=20 companies have remote access methods which a casual scanner will not = pick up on=20 such as you dial a number then enter in a specified access number then = you get a=20 carrier tone. So scanning is now defunct except by the lonly dumb or = persistant=20 hacker. We can't we adopt this metaphore. a program connects via a port, = enters=20 in a access code then the communication is allowed. sorta like a = password. of=20 couse encryption and misc. other things will have to be implemented. but = it=20 would work, no one would car if there ports were being scanned, and = hackers=20 would stop it. Common world analogies to door and windows do not apply = in this=20 situation. You must think a little more narrowly. ask yourself this = question how=20 is this hurting me? Do I feel as if I have been violated? The answer to = both is=20 No. The fun part of hacking is getting in the system, I never destroyed = any=20 system except systems of my own. But more than simple hackers trying to = get in=20 your computer. hackers in general are not a problem the problem is when = you have=20 someone on the other end of the port scan who may be considered a=20 "industrial esponige" expert, but then again they wouldn't go = throught=20 the hassle they would just get a job as a janator where there is no/very = little =20 security and just take the hard drive....a lot less traceable. = ....enough=20 ranting about a dumb subject. ...

 

-Mike

 

----
From: Bill Stout <stoutb@pios.com>
To: 'firewalls@greatcircle.com'; 'ntsecurity@iss.net'
Date: Wednesday, April 30, 1997 9:13 AM
Subject: Re: [NTSEC] RE: L0pht Scanning - Beware

At 12:04 AM 4/28/97 -0700, Dennis Roberts = wrote:
<snip>
>hackers is out to get you.  If someone breaks into your house = and=20 you
>call the police and they do nothing what are you going to do?  = I bet=20 you
>would maybe buy a gun, or get an alarm system, or do something = to
>increase your security!  Stop bitchin' and learn from = them.  I=20 think I
<snip>

Someone broke into my Dad's house once, but it never dawned on me until = now
that they were doing him a favor.  I feel so stupid for wanting to = lynch=20 the
thief, thinking that society would be better off without their = future
actions or from their genes polluting the homosapien gene pool. Ant to = think
that IMHO, our overly liberalist* society actually supports the breeding = of
the stupid, lazy and criminal!  (Note: Sarcasm)

  *(not to be confused with libetarian)

A cop or security guard on the beat checking locks, or a neighbor = seeing
another's door ajar is a good thing.  Someone telling me that my = door=20 latch
from 'X' corp is defective, and that I should repace it is a good = thing.
Entering my house, examining my belongings and spray-painting on the = walls
to prove a point about my door having a 'brute force' weakness is a bad=20 thing.

Bill Stout

 ------=_NextPart_000_01BC570A.69CC08C0-- From owner-firewalls-outgoing Fri May 2 13:25:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19261 for firewalls-outgoing; Fri, 2 May 1997 12:53:56 -0700 (PDT) Received: from ivory.lm.com (ivory.lm.com [204.171.44.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19242 for ; Fri, 2 May 1997 12:53:34 -0700 (PDT) Received: from jchess.slip.lm.com (jchess.slip.lm.com [205.201.26.86]) by ivory.lm.com (8.8.5/8.6.12) with SMTP id PAA08936 for ; Fri, 2 May 1997 15:55:11 -0400 (EDT) Message-Id: <199705021955.PAA08936@ivory.lm.com> Comments: Authenticated sender is From: "Jean Chess" To: firewalls@GreatCircle.COM Date: Fri, 2 May 1997 15:51:03 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Need to restrict http://www.nude.com and such In-reply-to: <0007jjzjtpxd.H000012201e0bc53@igate.sprint.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Websense (see www.netpart.com) is another such product which integrates with Firewall-1 and is what I am planning to use at a client site. Jean Chess RPM Associates, Inc. Pager: 800-504-8235 From owner-firewalls-outgoing Fri May 2 14:06:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA08600 for firewalls-outgoing; Fri, 2 May 1997 11:28:39 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA08554 for ; Fri, 2 May 1997 11:28:26 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id LAA04517; Fri, 2 May 1997 11:29:37 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705021829.LAA04517@Xenon.Stanford.EDU> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: carson@lehman.com Date: Fri, 2 May 1997 11:29:36 -0700 (PDT) Cc: dechon@CS.Stanford.EDU, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: <199705021741.NAA02682@dragon.lehman.com> from "carson@lehman.com" at May 2, 97 01:41:09 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk carson@lehman.com writes: > > Having received 2.6 beta refresh, I can state with certainty that Solaris > 2.6 _does_ have VLSM support. And DHCP support. And a berkeley 4.4 routing I just love it when reps give wrong information. :) mj > socket. And NTP. And.... > > Who-ho! > > -- > -- > Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com > http://www.cs.columbia.edu/~carson/home.html > > From owner-firewalls-outgoing Fri May 2 14:26:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19044 for firewalls-outgoing; Fri, 2 May 1997 12:51:02 -0700 (PDT) Received: from sunat.gob.pe (sunat.gob.pe [161.132.37.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19003 for ; Fri, 2 May 1997 12:50:44 -0700 (PDT) Received: from lima.sunat.gob.pe ([150.200.100.51]) by firesun.sunat.gob.pe with SMTP id <32257-1>; Fri, 2 May 1997 14:53:26 -0500 Received: by lima.sunat.gob.pe with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC5708.3C688950@lima.sunat.gob.pe>; Fri, 2 May 1997 14:50:54 -0500 Message-ID: From: "Carlos Tay Damaso (Req San Isidro)" To: "'firewalls@GreatCircle.COM'" Subject: PROBLEM.... Date: Fri, 2 May 1997 15:13:53 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >De: Carlos Tay Damaso >Enviado: Viernes, Mayo 02, 1997 12:06 PM >Para: 'firewalls@GreatCircle.COM' >Asunto: RV: PROBLEM.... >Importancia: Alta > > > >---------- >De: Carlos Tay Damaso >Enviado: Jueves, Abril 24, 1997 0:35 AM >Para: 'firewalls@GreatCircle.COM' >Asunto: PROBLEM.... >Importancia: Alta > >I have a Borderware Firewall Relase 4.01 >The problem is : >In my LAN i have a default router (3com Netbuilder II), to which hosts point >all traffic and in the same segment of the LAN i have my Firewall. >My hosts normally reaches internal networks through of my default router, and >reaches the INTERNET through the Firewall.If the Path between default router >and Internal network is disrupted, the routes in my hosts (UNIX, NT,) change >to the firewall. and then in a few minutes the firewall is hangup. > >Please help me... > >send me your solution to : dcarlos@sunat.gob.pe >Thanks... > > From owner-firewalls-outgoing Fri May 2 15:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19120 for firewalls-outgoing; Fri, 2 May 1997 12:51:51 -0700 (PDT) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA19104 for ; Fri, 2 May 1997 12:51:39 -0700 (PDT) Received: from joatmon (joatmon.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA12823; Fri, 2 May 97 15:53:01 EDT Received: by joatmon (4.1/SMI-4.1) id AA00690; Fri, 2 May 97 15:53:02 EDT Date: Fri, 2 May 97 15:53:02 EDT From: snorthc@nswc.navy.mil (Stephen Northcutt - CD2S) Message-Id: <9705021953.AA00690@joatmon> To: Firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Nick Keenan wrote: > > I know this is slightly off topic but I have need some advise or some > > products that will restrict http access to sites such as www.porn.com. > > Aside from building an exhaustive list on my proxy what else can I do. > >Christopher Hicks followed with: >A couple of companies actually do content-oriented restrictions. They >analyze using "super secret algorithms" whether or not the content is >allowed or not. The basic idea is that certain words and combinations of >words can with some context make a site rate as unviewable. No lists to >maintain. > Well, this list was developed with tax payer money, you can call it yours and charge what you like, it has proven to be very effective: http://www.nswc.navy.mil/ISSEC/Docs/Progs/keyword.txt most of the other supporting scripts can be found: http://www.nswc.navy.mil/ISSEC/Docs/Progs/index.html description of the system: http://www.nswc.navy.mil/ISSEC/Docs/loggingproject.html and the processes that allow us to operate it fairly: http://www.nswc.navy.mil/ISSEC/SAC/sac.html >Pornography isn't the only thing corporations have to worry about, though. >Playing Java Tetris, sitting in chat rooms, etc. are all things >corporations and governments will ultimately want to prohibit. It becomes >obvious quickly that lists are not practical. The only list that might be >practical is an "allowed" list. And given site-piracy that would still >let some smut through. Covered, all covered, by the system above. Now working on *hard* problems: gigabit firewalls, multi-site intrusion detection, auditing switched nets. Stephen (ichabod on #hack ... like I have time) http://www.nswc.navy.mil/ISSEC/SRN/snorthc.html From owner-firewalls-outgoing Fri May 2 15:55:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA07981 for firewalls-outgoing; Fri, 2 May 1997 15:01:44 -0700 (PDT) Received: from eagle1.raptor.com (raptor.com [204.7.243.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA07742 for ; Fri, 2 May 1997 15:00:45 -0700 (PDT) Received: from raptor1.raptor.com ([204.7.242.10]) by eagle1.raptor.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 May 1997 22:02:19 UT Received: from prouty (user-37kb49i.dialup.mindspring.com [207.69.145.50]) by raptor1.raptor.com (8.7.3/8.7.3) with SMTP id SAA08299; Fri, 2 May 1997 18:01:48 -0400 (EDT) Message-Id: <2.2.32.19970502220405.006e9044@204.7.242.10> X-Sender: aprouty@204.7.242.10 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 May 1997 18:04:05 -0400 To: Firewalls@GreatCircle.COM From: "Alan Prouty (Raptor Systems, Inc.)" Subject: Re: Need to restrict http://www.nude.com and such Cc: glavach@ctc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Fri, 2 May 1997 08:43:32 -0400 >From: "Dominick Glavach" >Subject: Need to restrict http://www.nude.com and such >I know this is slightly off topic but I have need some advise or some >products that will restrict http access to sites such as www.porn.com. Aside >from building an exhaustive list on my proxy what else can I do. Thanks for >the help. > Stuff deleted... Please note my signature block. Some firewall vendors allow URL's to be blocked based on the firewall administrator's input. Raptor provides this service as well, but takes it a step furthur. Raptor provides a unique service called WebNot that runs as an option on the Eagle. You can block URL's based on 12 pre-configured categories. This configuration can be enforced based on groups of machines, networks, or users and it allows groups to have different sets of rules regarding which sites they can get to. The database is automatically downloaded by the firewall every 6 days. The database is maintaned by CyberPatrol and they update it every day. ----======---- Alan Prouty E-mail: aprouty@raptor.com Southeast Region Systems Engineer Fax: 404-870-9138 Raptor Systems, Inc. Office: 404-870-9058 +++ZDI Internet 1997 BEST FIREWALL+++ From owner-firewalls-outgoing Fri May 2 17:09:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28294 for firewalls-outgoing; Fri, 2 May 1997 17:05:04 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28282 for ; Fri, 2 May 1997 17:04:56 -0700 (PDT) Received: from brian.us.checkpoint.com (brainiac.us.checkpoint.com [206.86.35.59]) by peets.us.checkpoint.com (8.8.3/8.8.3) with ESMTP id QAA04268; Fri, 2 May 1997 16:47:52 -0700 (PDT) Message-ID: <336A7C31.C35212A3@us.checkpoint.com> Date: Fri, 02 May 1997 16:43:45 -0700 From: Brian Connolly Reply-To: brian@us.checkpoint.com Organization: Check Point Software Technologies X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: Brett Eldridge CC: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com, firewalls@GreatCircle.COM Subject: Re: MS NetMeeting 2.0 and Raptor Eagle vers. 4.0 X-Priority: 3 (Normal) References: <337b1322.99279981@cup46ux.cup.hp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want to be able to detect the H.323 protocol that NetMeeting has been built on top of, you'll need to decode the packets to figure out where those "dynamic" ports end up. FireWall-1 has the ability to do this (you need to specifically look at the application data and grab "OpenLogicalChannel" commands) with its H.323 service built into 3.0. When FireWall-1 finds these dynamic port commands, it puts a dynamic rule into the firewall that associates these extra channels (and there could be up to 8 of them) with the existing H.323 control connection, thereby letting it through. Instead, you could always open up TCP and UDP ports 1025 through 65535 both ways through your firewall, as the below chart suggests ;) - Brian Brett Eldridge wrote: > > On Thu, 1 May 97 08:52:50 +0200, you wrote: > > >Hey everybody, > > > >Does anyone now how to set up Raptor Eagel version 4.0, running on NT > >4.0, to MS NetMeeting? > > Hi Christian, > > This is going to be tough for any application proxy style firewall > because you need to open up multiple TCP ports (389 and 522) along > with all the TCP/UDP high ports (argh). At least, this is how I read > the MS article. This is obviously a large security risk and creates a > hole in your firewall system big enough to "fling a moose through" > (see Note 1). > > Basically, for the Raptor Eagle firewall gateway, you need to use the > GSP feature to define a service for each of the ports listed below. > > I have included a portion of the text from one of Microsoft's > KnowledgeBse articles. You can find the article at: > http://www.microsoft.com/kb/articles/q164/0/38.htm > > - brett > > ---- Text of article ---- > > Microsoft Netmeeting 2.0 uses several secondary TCP and UDP ports to > communicate. To allow NetMeeting to communicate fully, the following > ports need to be enabled on the WinSock portion of the Proxy Server: > > 389 Internet Locator Server > 522 User Location Server > 1503 T.120 Protocol > 1720 H.323 call setup (TCP) > 1731 Audio call control (TCP) > Dynamic H.323 Call Control (TCP) > Dynamic H.323 streaming (RTP over UDP) > > > Port or Range Type Direction > ------------- ---- --------- > > 389 TCP Inbound > 389 TCP OutBound > 522 TCP Inbound > 522 TCP Outbound > 1025-65535 TCP Inbound > 1025-65535 TCP Outbound > 1025-65535 UDP Inbound > 1025-65535 UDP Outbound > > Note 1: Thanks to Marcus for enlightening me as to the highly > technical term to use to aptly describe situations like this. -- =================================================================== Brian Connolly brian@us.checkpoint.com Business Development Engineer 415.562.0400, ext 252 Check Point Software Technologies fax 415.562.0410 From owner-firewalls-outgoing Fri May 2 17:24:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28490 for firewalls-outgoing; Fri, 2 May 1997 17:09:02 -0700 (PDT) Received: from peets.us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28483 for ; Fri, 2 May 1997 17:08:56 -0700 (PDT) Received: from brian.us.checkpoint.com (brainiac.us.checkpoint.com [206.86.35.59]) by peets.us.checkpoint.com (8.8.3/8.8.3) with ESMTP id RAA05261; Fri, 2 May 1997 17:12:17 -0700 (PDT) Message-ID: <336A81EB.7D96417E@us.checkpoint.com> Date: Fri, 02 May 1997 17:08:11 -0700 From: Brian Connolly Reply-To: brian@us.checkpoint.com Organization: Check Point Software Technologies X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: Dominick Glavach CC: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such X-Priority: 3 (Normal) References: <9705020843.ZM12945@sgi122.ctc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FireWall-1 3.0 supports UFP (URL filtering protocol), which allows you to plug in URL scanning software directly into your firewall. A number of the companies already mentioned in this thread are writing to this spec (the first announced was NetPartner's WebSENSE). The model usually works like this: you buy the URL filtering software that supports UFP, and integrate it with your FireWall. It comes with an initial database of URLs, each categorized (pornography, hacking, sports, user-defined, etc). At the firewall, you can create rules such as "Allow all outgoing Web Traffic except for adult entertainment and gambling". You can also purchase a "subscription service" to get your URL database updated every evening. - Brian Dominick Glavach wrote: > > I know this is slightly off topic but I have need some advise or some products > that will restrict http access to sites such as www.porn.com. Aside from > building an exhaustive list on my proxy what else can I do. Thanks for the > help. > > -- > > --------------------------------------------------------------- > Dominick Glavach, Unix System Administrator glavach@ctc.com > Concurrent Technologies Corporation 814/269-2469 > -NCSA- > --------------------------------------------------------------- -- =================================================================== Brian Connolly brian@us.checkpoint.com Business Development Engineer 415.562.0400, ext 252 Check Point Software Technologies fax 415.562.0410 From owner-firewalls-outgoing Fri May 2 19:09:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA06075 for firewalls-outgoing; Fri, 2 May 1997 19:04:13 -0700 (PDT) Received: from sylvania.sev.org (sylvania.sev.org [206.98.18.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA06068 for ; Fri, 2 May 1997 19:04:08 -0700 (PDT) Received: from port181.sev.org by sylvania.sev.org; (5.65v3.2/1.1.8.2/08Dec95-0254PM) id AA12480; Fri, 2 May 1997 22:02:24 -0400 Message-Id: <9705030202.AA12480@sylvania.sev.org> Subject: Macintosh firewall? Date: Fri, 2 May 97 22:06:11 +0100 X-Mailer: Claris Emailer 1.1 From: Mitch Gorsha To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I've been watching the list and waiting for it to surface, but it hasn't yet. So I'll go ahead and ask ... Is there a firewall product out there, somewhere, that runs on a Macintosh? Without having to go to the Mac AIX servers? Whew! Now I feel better , but I'm still interested! thanks ... [mpg] _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Mitch Gorsha Senior Systems Engineer - SFT-CompuWorx (419)843-8200 Do you believe in Macintosh? Please check out and join the EvangeList mailing list by sending an email to . _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From owner-firewalls-outgoing Fri May 2 20:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09987 for firewalls-outgoing; Fri, 2 May 1997 20:20:17 -0700 (PDT) Received: from sylvania.sev.org (sylvania.sev.org [206.98.18.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA09980 for ; Fri, 2 May 1997 20:20:13 -0700 (PDT) Received: from port103.sev.org by sylvania.sev.org; (5.65v3.2/1.1.8.2/08Dec95-0254PM) id AA31782; Fri, 2 May 1997 23:18:29 -0400 Message-Id: <9705030318.AA31782@sylvania.sev.org> Subject: macintosh firewall? Date: Fri, 2 May 97 23:22:15 +0100 X-Mailer: Claris Emailer 1.1 From: Mitch Gorsha To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I've been watching the list and waiting for it to surface, but it hasn't yet. So I'll go ahead and ask ... Is there a firewall product out there, somewhere, that runs on a Macintosh? Without having to go to the Mac AIX servers? Whew! Now I feel better , but I'm still interested! thanks ... [mpg] _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Mitch Gorsha Senior Systems Engineer - SFT-CompuWorx (419)843-8200 Do you believe in Macintosh? Please check out and join the EvangeList mailing list by sending an email to . _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From owner-firewalls-outgoing Fri May 2 20:54:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA12413 for firewalls-outgoing; Fri, 2 May 1997 20:49:57 -0700 (PDT) Received: from nimue.jammed.com (jammed.com [165.227.120.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA12406 for ; Fri, 2 May 1997 20:49:51 -0700 (PDT) Received: (from deadmail@localhost) by nimue.jammed.com (8.8.5/8.8.5) id UAA18337 for firewalls@greatcircle.com; Fri, 2 May 1997 20:51:42 -0700 Received: from nimue.jammed.com (gate.jammed.com) by gate.jammed.com (deadmail-1.1/JAMMED) via SMTP; Fri May 2 20:51:42 1997 Date: Fri, 2 May 1997 20:51:41 -0700 (PDT) From: "James W. Abendschan" To: firewalls@greatcircle.com Subject: SunOS Gauntlet file permissions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of the sites I do work for runs Gauntlet 3.1 under SunOS 4 (and for the record, it performs quite well, considering the load.) Last week I took a look around the system and found some rather glaring file permsission problems: drwxrwsrwx 2 root staff 512 May 20 1996 /etc/sm drwxrwsrwx 2 root staff 512 May 20 1996 /etc/sm.bak -rwxrwxrwx 1 root wheel 24576 May 22 1996 /usr/local/etc/udpnull -rw-rw-rw- 1 root bin 50036 Apr 10 18:04 /usr/kvm/sys/gauntlet/ swipe/swipemod -rw-rw-rw- 1 root staff 72 Apr 25 14:08 /etc/utmp -rw-rw-rw- 1 root staff 4 Apr 10 18:04 /etc/syslog.pid -rw-rw-rw- 1 root staff 1 May 20 1996 /etc/state ....in other words, a stock SunOS system (right down to the suid /usr/openwin/bin/loadmodule) with some TIS-isms thrown in. These were on the Day 0 dump tape, so the firewall was *installed* this way. Now maybe I'm being excessively paranoid, but isn't the OS supposed to be hardened up a bit before implementing it as a firewall? This is not a TIS flame; I was simply shocked to see all these writable files and setuid binaries on the system. Granted, no one should be able to get a shell-- root or otherwise-- on the system, but who knows what madness lurks in the depths of 3rd party proxies. Just curious if anyone else has seen this... James -- James W. Abendschan jwa@jammed.com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson From owner-firewalls-outgoing Sat May 3 01:24:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA22734 for firewalls-outgoing; Sat, 3 May 1997 01:13:06 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA22726 for ; Sat, 3 May 1997 01:12:59 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55557-1>; Sat, 3 May 1997 10:12:22 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Sat, 03 May 1997 10:14:19 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wNa1D-002QmKC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 3 May 1997 10:18:11 +0200 (MET DST) Date: Sat, 3 May 1997 09:18:11 +0100 From: "Magossa'nyi A'rpa'd" To: Mike Jones CC: swnuck@unixpros.com, firewalls@GreatCircle.COM Subject: Re: stateful inspection (was: CheckPoint vs Others) In-Reply-To: <199705021802.OAA28142@bass.unifiedtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Mike Jones wrote: > > Do you mean you can explicitly define in every protocol which states/st= ate > > transitions are allowed and which not? >=20 > In at least a limited sense, yes. I'm not completely clear on what > you mean by "state transitions".=20 For example in an smtp session I assure that the other side should start with a helo (state 1), and should continue with a mail from (state 2) and not a vrfy (state 3). Might be a silly example, perhaps it's another protocol level, but is'n it why those firewalls are called "stateful inspection"? >FireWall-1 deals with network objects > and protocols, where a network object may be > - a host > - a network > - a group of hosts and/or networks > The rules are of the form > > and identify what action should be taken upon encountering traffic of > the specified protocol between the specified source and destination > objects. The may be allow, drop, or authenticate.=20 It looks like the good old port filtering. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Sat May 3 03:09:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA00813 for firewalls-outgoing; Sat, 3 May 1997 03:03:16 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA00796 for ; Sat, 3 May 1997 03:03:05 -0700 (PDT) Received: from maestro (maestro.skp.de [194.163.133.201]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id LAA16747; Sat, 3 May 1997 11:10:19 +0200 Date: Sat, 03 May 1997 12:04:11 +0100 To: "Urban A. Haas" From: Oliver Lau Cc: , Derek Pokorny , Martin Sauer Subject: Re: Firewalls for non-IP protocols In-Reply-To: <33689EA0.622F@urbantechnology.com> References: <33689EA0.622F@urbantechnology.com> Message-Id: <336B29BB365.BDB4.lau@skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: Quoted-Printable X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings! On Thu, 01 May 1997 08:46:09 -0500 "Urban A. Haas" wrote: | Are there any firewalls that can extend beyond IP protecting SNA and IPX | without encapsulation - or at least encrypting the data? (Or is the | encryption portion a different issue altogether?) Yes, FireWall/Plus from Network-1, NY, is the only multi-protocol firewall (for DOS and Windows NT with Intel- and Alpha-CPUs) worldwide, capable of filtering about 400 different protocols and subprotocols from OSI layer 2 to 7. It can act as a dual-homed gateway and also be installed on NT workstations and servers to provide full virtual private networks, end to end, i.e. encrypted tunneling from sender to receiver and not only from firewall to firewall. | | I have some that are becomming interested in using this kind of | technology over their frame-relay links to protect snooping from telco | or telco mishaps, etc. No problem, Cisco support is integrated. All routers that are attached via an ethernet link are supported | | I know I can run IP-based Netware, DLS (Data-Link Switching), etc to get | a totally-IP based network to accomplish this, but this kind of digs | into some firewall vendor's suggestions that their devices be used on | Intranets also. The difference, to me being, support for other network | protocols. You don't have to install such strange devices with FireWall/Plus. Any protocol can be filtered, and if you use a protocol that is not listed, define it by your own. This takes two minutes for each new protocol, if you know about the port it addresses and/or the ID it uses. You can also implement connection management for connection-oriented protocols like TCP by adding code in a C- or Pascal-like language, that does detailed filtering, oberserving and controlling the state of communication, better known as 'statefulness'. So filtering to the bit-level is already built in. | | Maybe the best bet is encryption of some kind of all data between point | a and point b, ignoring protocols, but I am curious as to anyone's | particular experience. | See above. Works very well. :-) For detailed information please visit: US site: http://www.network-1.com/products/firewall/nt German site: http://www.skp.de/prod Regards Oliver Lau (Senior Security Consultant) Sauer, K=fcster und Partner GmbH Dietrich-Bonhoeffer-Stra=dfe 1-3, 35037 Marburg, Germany fon: +49 6421 938300, fax: +49 6421 938390, URL: www.skp.de From owner-firewalls-outgoing Sat May 3 04:39:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA07403 for firewalls-outgoing; Sat, 3 May 1997 04:33:59 -0700 (PDT) Received: from zonk.geko.net.au (zonk.geko.net.au [203.2.239.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA07396 for ; Sat, 3 May 1997 04:33:47 -0700 (PDT) Received: from mozart.void.hell.net (dialup3121.sydney.geko.net.au [203.25.224.121]) by zonk.geko.net.au (8.8.5/8.6.12) with ESMTP id VAA11832 for ; Sat, 3 May 1997 21:44:48 +1000 (EST) Received: from beethoven ([192.168.0.2]) by mozart.void.hell.net with smtp id m0wNadC-000Jn4C (Debian Smail-3.2 1996-Jul-4 #2); Sat, 3 May 1997 18:57:26 +1000 (EST) Message-Id: From: "Norman Widders" Date: Sat, 3 May 1997 18:51:53 +0000 GMT Subject: Re: Need to restrict http://www.nude.com and such To: Reply-To: Organization: WCE Consulting X-Mailer: Paladin IMAP4 Client v2.0 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to Alan > Filters are semi-useful at best. Since any of these filters can be > bypassed by web proxies, you will only filter out the more clueless of > your userbase. (Middle managers and sales people and the like.) You are > better off either cutting off access to the net to all (or most) of your I would mostly agree that filtering does not work. Many legitimate sites will then be blocked with the result that users will not be able to access information that they need. This has been demonstrated many times and the latest German fiasco exemplifies this, with the result that the filter was removed. These companies supplying lists of sites to block also tend to have their own hidden-agenda and will include sites that they are biased against. ie, the National Organisation for Women is on one of the prominant filter-lists supplied by one company. So which list can you in fact trust. Monitoring the log files to see where people are surfing and then taking action is the best remedy surely. If people are using web proxies / anonymizers then this too is suspicious behaviour for an employee and should be noted. Or perhaps keep an up to date ban-list of anonymizers, it puts you between a rock and a hard place :-) It also makes me wonder if security consultants and admins have lost touch with basic office procedures. What ever happened to timesheets that employees fill out each hour, showing what they were doing in that time. If they are surfing the net for a few hours looking at things they shouldn't their timesheets will show unjustifiable amounts of time being spent on trivial work, ie they will falsify their workload which is easy to catch. ie, 2 Hours spent on a memo ? On the other hand if the employees are just spending a few minutes here and there looking at playboy.com or similar, you probably wont catch them. But then whats the difference between that and the interoffice chatting that goes on at the coffee machine and wastes just as much time but is usually thought of as _acceptable_ behaviour. -- +--------------------------------------------------------------+ | #include | | | | E-MAIL: winspace@geko.net.au | | HOMEPAGE: http://www.geocities.com/ResearchTriangle/4431 | | | +--------------------------------------------------------------+ From owner-firewalls-outgoing Sat May 3 07:39:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14240 for firewalls-outgoing; Sat, 3 May 1997 07:32:53 -0700 (PDT) Received: from macbeth.othello.ch (macbeth.othello.ch [193.5.25.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA14233 for ; Sat, 3 May 1997 07:32:47 -0700 (PDT) Received: from othello.ch by macbeth.othello.ch (SMI-8.6/SMI-SVR4-afm-1.3) id QAA16027; Sat, 3 May 1997 16:32:30 +0200 Received: by othello.ch (NX5.67f2/NX3.0M-afm-1.4) id AA11001; Sat, 3 May 97 16:28:55 +0200 Message-Id: <9705031428.AA11001@othello.ch> Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Dr Andreas F Muller Date: Sat, 3 May 97 16:28:49 +0200 To: firewalls@greatcircle.com Subject: Re: VLSM, RIP, routing socket Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Marc D. Jackson" wrote: > I ran into this problem when trying to route with rip. Specifically, RIP cannot do subnets, unless you use RIP2. Ordinary routed does not understand RIP2. Many other OSes have the same problem, even some products that call themselves routers. For a real router you need at least two preconditions: . the kernel must understand subnet routes . there must be a decent routing process that understands a real routing protocol (in this sense, routed is not decent). > Sun's implementation of the routing socket interface is not the > industry standard. In other words, when you use a Sun machine as > a multi-homed host with subnetted networks the rip updates are > incorrect. The routers that we used had no problems at all in This has nothing to do with the implementation of the routing socket. It's a fact that Solaris 2.x, x < 6, is unable to handle subnet routes in its kernel routing table, unless they belong to directly connected networks. The work arround is to use host routes for all hosts on a remote subnet. (There was a product from Sun which enabled vlsm in the kernel, however, this does not correct the deficiencies of RIP). The fact that the routers had no problems only indicates that they were using RIP2 or something better. > dealing with the subnetted networks, therefore while we were able > to subnet our intranet we had problems with using Sun's as any type > of router. If you want your Sun to speak to some routers intelligently (doing something more intelligent than RIP), you should consider gated. Just my 0.02$ Andreas Mueller ------------------------------------------------------------ Dr. Andreas Mueller Beratung und Entwicklung Bubental 53, CH - 8852 Altendorf Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485 From owner-firewalls-outgoing Sat May 3 09:39:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA19004 for firewalls-outgoing; Sat, 3 May 1997 09:25:09 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA18996 for ; Sat, 3 May 1997 09:25:04 -0700 (PDT) Received: by relay.rv.tis.com; id MAA25246; Sat, 3 May 1997 12:43:00 -0400 (EDT) Received: from unknown(204.254.155.208) by relay.rv.tis.com via smap (3.2) id xma025240; Sat, 3 May 97 12:42:48 -0400 Message-Id: <3.0.32.19970503122813.006a8e80@pop.rv.tis.com> X-Sender: lothie@pop.rv.tis.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 03 May 1997 12:28:14 -0400 To: firewalls@GreatCircle.COM From: Mimi Herrmann Subject: Re: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:41 AM 5/2/97 -0500, Chris Lonvick wrote: >Hello Dominick, > >I assume that your company policy is to prevent your people from >getting/displaying/looking-at "dirty pictures" while on company >time and/or while using company equipment. From your question, >I see that you're looking for ways to enforce your policy. > >As far as I know, there are two general methods of enforcing your >policy. > - making the consequences of failure to comply with the policy > a very high cost (like termination) > - finding ways to make it difficult for your users to violate > the policy It's so nice to see someone else give the advice that restricting destinations is a *social engineering* problem, not necessarily a technical problem. Most firewalls keep logs of what sites are being accessed, and from what IP. Constructively using this information to discipline employees that violate policy, rather than trying to find technical solutions to ban users from being able to get to these sites in the first place, does take more work but is also more effective. Besides, it's a way of creating jobs, which to me seems a good thing. Just as an example -- say my company had a policy against my visiting www.nude.com. Well, there's nothing to stop me from getting another account elsewhere and visiting that site from there, either using telnet/lynx or, if I have use of a modem from my desk, even opening up a ppp connection and using Netscape. It's a lot harder to outwit employees than it is to discipline them for violating the rules once they're caught. Just my two cents, L From owner-firewalls-outgoing Sat May 3 10:39:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20917 for firewalls-outgoing; Sat, 3 May 1997 10:27:04 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20902 for ; Sat, 3 May 1997 10:26:53 -0700 (PDT) Received: (from pokey@localhost) by maddie.atlantic.com (8.8.5/8.7.3) id NAA23496; Sat, 3 May 1997 13:29:38 -0400 From: Rick Romkey Message-Id: <199705031729.NAA23496@maddie.atlantic.com> Subject: Re: CheckPoint vs Others To: jmcbrearty@usa.net (John McBrearty) Date: Sat, 3 May 1997 13:29:38 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19970502192222.00731904@sparc1.castles.com> from "John McBrearty" at May 2, 97 12:22:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > people on this list. But when you need tech support information from Cisco > there are a variety of ways to get it; and I have found their support people > always willing to do what it takes to solve problems. It beats a voice mail > message saying "Go to your VAR." > One might argue that you should have been more carefull when selecting your VAR. Some resellers out there can actually help with problems. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From owner-firewalls-outgoing Sat May 3 11:39:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA24142 for firewalls-outgoing; Sat, 3 May 1997 11:30:09 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA24133 for ; Sat, 3 May 1997 11:30:04 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id NAA08831; Sat, 3 May 1997 13:30:38 -0500 (CDT) Date: Sat, 3 May 1997 13:30:37 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Mimi Herrmann cc: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <3.0.32.19970503122813.006a8e80@pop.rv.tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 3 May 1997, Mimi Herrmann wrote: > ppp connection and using Netscape. It's a lot harder to outwit employees > than it is to discipline them for violating the rules once they're caught. In addition, consider this: If I BAN all traffic to www.nude.com, as you said, the user will slip around anyway, not only making it harder for my technical staff, but probably causing me NOT to know about it at all. Far better to know that a problem exists, which enables me to then TALK to the person involved, point out the reasons for the policy, etc etc etc. This opportunity rarely arises when you try to solve people problems with hardware and software ;) From owner-firewalls-outgoing Sat May 3 14:41:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04853 for firewalls-outgoing; Sat, 3 May 1997 14:33:47 -0700 (PDT) Received: from geocities.com (mail3.geocities.com [204.7.246.133]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA04846 for ; Sat, 3 May 1997 14:33:42 -0700 (PDT) Received: from ppp01-braila.iiruc.ro (ppp01-braila.iiruc.ro [193.226.145.211]) by geocities.com (8.7.5/8.7.3) with SMTP id OAA23456 for ; Sat, 3 May 1997 14:27:35 -0700 (PDT) Message-ID: <336C3BEE.2F82@geocities.com> Date: Sun, 04 May 1997 00:34:06 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I don't think this subject needs so much debate... First of all it is absolutely necesary to outwit the employee in order to prove that it is guilty and then take the appropiate measures. Nobody can be accused without a good proof. Now, most of the xxx sites contain a html meta in the web page header that look like this: Just have to filter the web pages containing this kind fo meta... Of course there also other words but there is no place for them here... There are no secret algorithms... It is not a perfect method but it you can obtain good results... You can also log the access of these files and find the employees interested in this. Also active modems can be detected and that call traced... In this way one can prevent unauthorised Internet connections using personal modems at the office... Please anyone tell me if I'm wrong... Gabriel From owner-firewalls-outgoing Sat May 3 15:09:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA06616 for firewalls-outgoing; Sat, 3 May 1997 14:57:24 -0700 (PDT) Received: from lix.intercom.es (lix.intercom.es [194.179.21.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA06599 for ; Sat, 3 May 1997 14:57:17 -0700 (PDT) Received: from MERLIN (ppp-bcn-163.inf.servicom.es [194.149.194.163]) by lix.intercom.es (8.7.3/8.6.12) with SMTP id AAA03110 for ; Sun, 4 May 1997 00:02:42 +0100 Received: by MERLIN with Microsoft Mail id <01BC581E.13852F90@MERLIN>; Sat, 3 May 1997 23:59:45 +0200 Message-ID: <01BC581E.13852F90@MERLIN> From: Alvaro Redondo To: "'liviu@hip.ro'" , "'Firewalls'" Subject: RE: Win 95 Networking Date: Thu, 1 May 1997 16:26:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can't do it with W95 itself. There may be another package that it is = able to do it under W95, but I don't think so. I was told that setting a special parameter in the registry allows you = to add routing capabalities to W95, but only in a static way, not = dynamic. It is something that the guys who made W95 thought about, but = didn't finish, si I don't think it will work fine. Alvaro Redondo. ---------- Desde: Sas Liviu Enviado el: martes 29 de abril de 1997 16:59 Para: Firewalls Asunto: Re: Win 95 Networking Viorel Dehelean wrote: > Why in Windows 95 when i change the settings for TCP/IP for Dial Up > Adapter > , it automaticaly changes the settings for TCP/IP for NE200 card ? If we were talking about Win95, how can I set up tcp-ip forwarding on Win95? -- That's what Droopy said. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.5 mQCNAjNZNysAAAEEALLxeeDSuee1kgjnfDdZKlUM0n7uMotZcM1XvrWfmiv0u2LU T4nlc5u1Df1Mk9EOJuYBPhg64XrDEaUg3/hUNGXlmmUMdKbo+Ew26FLP14qIKQuo tLSlTzYlQmwVRKSXYYLWe2A4i6zTEeva0x5PReOs/eEbMUqduBSimhPqNH55AAUR tBhTYXMgTGl2aXUgPGxpdml1QGhpcC5ybz4=3D =3DMrOt -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Sun May 4 02:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA01982 for firewalls-outgoing; Sun, 4 May 1997 02:08:57 -0700 (PDT) Received: from relay.bt.net (relay.bt.net [194.72.6.52]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA01975 for ; Sun, 4 May 1997 02:08:52 -0700 (PDT) Received: from mypc (actually 195.99.62.233) by relay.bt.net with SMTP (PP); Sun, 4 May 1997 10:10:44 +0100 From: jayee@pemail.net (Jayee Enterprises) To: Firewalls@GreatCircle.COM Subject: What line speed do I need? Date: Sun, 04 May 1997 09:10:08 GMT Reply-To: jayee@pemail.net Message-ID: <336afe50.4947988@relay.bt.net> References: In-Reply-To: X-Mailer: Forte Agent 1.0/16.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm setting up Cyber Cafe with about 8 PC's and was would like guidance on what size line I need to my ISP?=20 Would 56/64k be OK to start with and plan for growth or should I start higher ? I plan to have my Cafe open 6 days per week between 10am till 9pm Any comments/experience welcomed. John Jayee -------------------------------------------------- email: jayee@pemail.net I don't work here. I'm on a journey to retirement! What I say are my thoughts at the time of typing. =46or my company's view, please contact the Press Office. ------------------------------------------------------- From owner-firewalls-outgoing Sun May 4 04:39:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA07854 for firewalls-outgoing; Sun, 4 May 1997 04:24:50 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA07838 for ; Sun, 4 May 1997 04:24:33 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id TAA26936; Sun, 4 May 1997 19:29:22 +0300 Date: Sun, 4 May 97 14:20:27 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: firewalls@GreatCircle.COM, Gabriel Dura X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336C3BEE.2F82@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Sun, 04 May 1997 00:34:06 -0700 Gabriel Dura wrote: > Hi! > > I don't think this subject needs so much debate... First of all it is > absolutely necesary to outwit the employee in order to prove that it is > guilty and then take the appropiate measures. Nobody can be accused > without a good proof. > > Now, most of the xxx sites contain a html meta in the web page header > that look like this: > > > > Just have to filter the web pages containing this kind fo meta... Of > course there also other words but there is no place for them here... > There are no secret algorithms... > > It is not a perfect method but it you can obtain good results... > You can also log the access of these files and find the employees > interested in this. > > Also active modems can be detected and that call traced... In this way > one can prevent unauthorised Internet connections using personal modems > at the office... > > Please anyone tell me if I'm wrong... > Gabriel ---------------End of Original Message----------------- It is absolutely necesary to outwit the employee in order to prove that it is guilty and then take the appropiate measures. Nobody can be accused without a good proof. NO, most of the xxx sites do not contain a html meta in the web page header that look like this: if they do have this that it is VERY easy Just have to filter the web pages containing this kind fo meta... Of course there also other words but there is no place for them here... There are no secret algorithms... But do you think that they REALLY want to be filtered out ? This is why it is not a perfect method but it you can obtain good results... By logging the access of these files and find the employees interested in this, you can avoid a lot of cases like this since one they know you are watching, they will avoid this. /Ziv -- SessionWall-3 offers an effective means of preventing employees or intruders from abusing the network. By monitoring all session traffic, it opens a unique window into how employees are using the network, and can pinpoint the need for defenses against outside threats = Get an EVALUATION COPY at = From owner-firewalls-outgoing Sun May 4 09:09:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA16646 for firewalls-outgoing; Sun, 4 May 1997 08:55:29 -0700 (PDT) Received: from pooh.pageplus.com (pooh.pageplus.com [206.168.18.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA16627 for ; Sun, 4 May 1997 08:55:22 -0700 (PDT) Received: from RAMay-Home.pageplus.com (RAMay-Home.pageplus.com [206.168.18.119]) by pooh.pageplus.com (8.8.5/8.8.5) with SMTP id JAA18133; Sun, 4 May 1997 09:52:59 -0600 Message-Id: <199705041552.JAA18133@pooh.pageplus.com> Comments: Authenticated sender is From: "Roger A. May" Organization: R & R Enterprises To: jayee@pemail.net, Firewalls@GreatCircle.COM Date: Sun, 4 May 1997 09:57:24 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: What line speed do I need? Reply-to: Roger@RnR-Ent.Com X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A good rule of thumb is no more than 10 to 12 PC's (doing no more than webbrowsing or email) per 64K of dedicated bandwidth (frame, point-to-point, or ISDN). If ftp or on-line gaming is involved, not more than 4 PC's MAX per 64K of dedicated bandwidth. Those would be the top end limits to balance out costs vs. performance. Optimized for performance would be the same numbers per 128K. Roger A. May Hostmaster and Co-Owner www.net-plus.com www.pageplus.com > I'm setting up Cyber Cafe with about 8 PC's and was would like > guidance on what size line I need to my ISP? > > Would 56/64k be OK to start with and plan for growth or should I start > higher ? I plan to have my Cafe open 6 days per week between 10am > till 9pm > > Any comments/experience welcomed. > > John Jayee > -------------------------------------------------- > email: jayee@pemail.net > I don't work here. I'm on a journey to retirement! > What I say are my thoughts at the time of typing. > For my company's view, please contact the Press Office. > ------------------------------------------------------- > From owner-firewalls-outgoing Sun May 4 13:54:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA27582 for firewalls-outgoing; Sun, 4 May 1997 13:52:30 -0700 (PDT) Received: from geocities.com (mail5.geocities.com [204.7.246.135]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA27575 for ; Sun, 4 May 1997 13:52:25 -0700 (PDT) Received: from ppp01-braila.iiruc.ro (ppp01-braila.iiruc.ro [193.226.145.211]) by geocities.com (8.7.5/8.7.3) with SMTP id NAA03513; Sun, 4 May 1997 13:51:51 -0700 (PDT) Message-ID: <336D7E4B.6390@geocities.com> Date: Sun, 04 May 1997 23:29:31 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Ziv Dascalu CC: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such References: <336C3BEE.2F82@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry but all porn sites I personally checked have that meta included in their header. Please note that every civilised country in the world have regulations about children's access to pornography, violence, etc. I'm sure there is an Internet standard on this subject... And all sites that are placed in such countries must obey the laws... Other such sites have other meta like this one for instance: > > --- On Sun, 04 May 1997 00:34:06 -0700 Gabriel Dura wrote: > > Hi! > > > > I don't think this subject needs so much debate... First of all it is > > absolutely necesary to outwit the employee in order to prove that it is > > guilty and then take the appropiate measures. Nobody can be accused > > without a good proof. > > > > Now, most of the xxx sites contain a html meta in the web page header > > that look like this: > > > > > > > > Just have to filter the web pages containing this kind fo meta... Of > > course there also other words but there is no place for them here... > > There are no secret algorithms... > > > > It is not a perfect method but it you can obtain good results... > > You can also log the access of these files and find the employees > > interested in this. > > > > Also active modems can be detected and that call traced... In this way > > one can prevent unauthorised Internet connections using personal modems > > at the office... > > > > Please anyone tell me if I'm wrong... > > Gabriel > > ---------------End of Original Message----------------- > > It is absolutely necesary to outwit the employee in order to prove that it is guilty and then > take the appropiate measures. Nobody can be accused without a good proof. > > NO, most of the xxx sites do not contain a html meta in the web page header > that look like this: > > > > if they do have this that it is VERY easy Just have to filter the web pages containing this kind > fo meta... Of course there also other words but there is no place for them here... > There are no secret algorithms... > But do you think that they REALLY want to be filtered out ? > > This is why it is not a perfect method but it you can obtain good results... > > By logging the access of these files and find the employees interested in this, you can > avoid a lot of cases like this since one they know you are watching, they will avoid > this. > > /Ziv > -- > SessionWall-3 offers an effective means of preventing employees or intruders from abusing the > network. By monitoring all session traffic, it opens a unique window into how employees are > using the network, and can pinpoint the need for defenses against outside threats > = Get an EVALUATION COPY at = From owner-firewalls-outgoing Sun May 4 14:39:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA00650 for firewalls-outgoing; Sun, 4 May 1997 14:29:47 -0700 (PDT) Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA00643 for ; Sun, 4 May 1997 14:29:41 -0700 (PDT) Received: from carew.windsor.com (carew.windsor.com [199.181.96.17]) by bramber.windsor.com (8.6.12/8.6.12) with SMTP id RAA24872; Sun, 4 May 1997 17:30:34 -0400 Received: by carew.windsor.com with Microsoft Mail id <01BC58B0.DF0052C0@carew.windsor.com>; Sun, 4 May 1997 17:30:33 -0400 Message-ID: <01BC58B0.DF0052C0@carew.windsor.com> From: "Eric V. Smith" To: Ziv Dascalu , "'Gabriel Dura'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Need to restrict http://www.nude.com and such Date: Sun, 4 May 1997 17:30:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gabriel Dura said: < about restricting access to sites based on content > > The MS Internet Explorer have such an option about restricting the > access to violence and pornography... Too bad they have so many security > bugs... It could have been succesfully used in this case... The idea is > good but the implementation is bad... In what way is the implementation bad? Do you have some facts or pointers you could share? Eric. From owner-firewalls-outgoing Sun May 4 15:59:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA06669 for firewalls-outgoing; Sun, 4 May 1997 15:50:00 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA06659 for ; Sun, 4 May 1997 15:49:54 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id AAA05964; Mon, 5 May 1997 00:50:42 +0200 Date: Mon, 5 May 1997 00:50:40 +0200 (MET DST) From: Kevin McPeake To: Mitch Gorsha cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: <9705030318.AA31782@sylvania.sev.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Mitch Gorsha wrote: > Well, I've been watching the list and waiting for it to surface, but it > hasn't yet. So I'll go ahead and ask ... Always ask. Not asking just breeds ignorance. > Is there a firewall product out there, somewhere, that runs on a > Macintosh? Without having to go to the Mac AIX servers? I figured I'd answer this, since I'm prolly the resident Macintosh expert on this list, and hopefully before any of these NT/Unix lads rip on ya for enjoying mac's. :) No, there is no firewall available for MacintoshOS and will prolly never will be. This most undoubtably will change when Rhapsodey (the NeXT OS for Mac's, based on NeXTStep), but that won't be till the end of this year/begining of next year. Part of the problem is that the current OS is just not up to par with things like preemptive multi-tasking/protected memory etc. There's also a few other reasons, but overall, the common consensus is that Mac's don't need a lot of protection from the Internet, cause in a round about way, they already are. This of course, depends what you are doing with those macintosh's on the network, and some server applications could change this (ie-AppleShareIP, MacNFS Server, etc). However, if your network consists soley of Macintosh's running classic AppleTalk & say a Mac-OS based Server running WebStar HTTPd / Netpresenz FTPd or Apple Internet Mail Server, you don't have a lot to worry about. I know of several Mac-based ISP's, including StarNet, up in the Chicago Area, that built thier ISP using almost all Mac's. Now, if you still think you need a Firewall, because you have some sensitive information on a TCP/IP based Server Application on a Mac, than yeah, you might need a firewall (Oracle Database Server, Informix, etc). But if you want to stay Mac only, without having to fork out the cash for a Apple AIX box (which they are dropping support for AIX, thanks in part to the upcomming release of Rhapsody), I would suggest you get a PowerMac 6100/66 or better machine, download either MkLinux OR LinuxPPC and install that, recompile your kernel as per the HOWTO's for Linux Firewalling (links can be found at http://www.linux.org/) and setup your Firewalling rules with ipfwadm, which comes with Linux. I know of several companies that use this setup, and it's a great free solution (minus cost of old PowerPC 6100/66 or better). MkLinux is still in Dev releases, but I've had it running for over a year, and have virtually beat the ever living tarnation out of it, and have seen it crash maybe 6 times.....it's right up there with Intel Linux now, IMHO. It goes without saying, that if your spare computer is a Intel box, instead of a powerPC, you can do the same thing on linux for intel. Hope that helps ya some. > > Whew! Now I feel better , but I'm still interested! > I hope you continue to feel better after you read this far. ;) Cheers, Kev Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Sun May 4 19:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA15670 for firewalls-outgoing; Sun, 4 May 1997 19:10:43 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA15661 for ; Sun, 4 May 1997 19:10:37 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wODG3-0004K5C (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 04:12:07 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 5 May 97 04:12 MET DST Received: by lina.inka.de id m0wOD3p-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 03:59:09 +0200 (CEST) Message-Id: Date: Mon, 5 May 1997 03:59:08 +0200 From: Bernd Eckenfels To: "Webb, Dean" Cc: Firewalls@GreatCircle.COM Subject: Re: Firewall gone freaky References: <2132495A1094D011874400609730779104F779@dalnt032.capgemini.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <2132495A1094D011874400609730779104F779@dalnt032.capgemini.com>; from Webb, Dean on Fri, May 02, 1997 at 09:17:03AM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The BorderGuard was installed out-of-the-box, configured only > with our TCP/IP info. No rules regarding traffic were added or modified > by any of us in either company since it was first set up. Well.. I would consider this a 'uninstalled' firewall. > (BTW, I would *love* to RTFM, but it's roughly > 1500 miles away and the sister company ain't letting it out of their > sight or site. This is a simple management problem. If you sis company wont let you mange the frewall you are eighter responisble for the loss, nor you should try to solve the problem. Just ask for your own firewall. Unconfigured Software and unread logfiles wont protect you anyway. Greetings Bernd PS: yes, I know it is not what you wanted to hear. But you should not expect ppl to RTFM for you, even if there are political problems to get on that FM. -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Sun May 4 19:54:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA19056 for firewalls-outgoing; Sun, 4 May 1997 19:51:15 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA19049 for ; Sun, 4 May 1997 19:51:10 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id VAA02379; Sun, 4 May 1997 21:51:44 -0500 (CDT) Date: Sun, 4 May 1997 21:51:43 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Kevin McPeake cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Kevin McPeake wrote: > But if you want to stay Mac only, without having to fork out the cash for > a Apple AIX box (which they are dropping support for AIX, thanks in part *cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, AIX is IBM, A/UX is Apple ;) From owner-firewalls-outgoing Sun May 4 21:54:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25694 for firewalls-outgoing; Sun, 4 May 1997 21:50:05 -0700 (PDT) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA25682 for ; Sun, 4 May 1997 21:49:58 -0700 (PDT) Received: from rust.net.204.157.12.254 (mh-31.rust.net [205.199.80.131]) by Fe3.rust.net (8.8.5/8.8.5) with SMTP id AAA14892; Mon, 5 May 1997 00:51:56 -0400 (EDT) Date: Mon, 5 May 1997 00:51:56 -0400 (EDT) Message-Id: <199705050451.AAA14892@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Brian Tackett From: Ken Stephens Subject: Re: macintosh firewall? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:51 PM 5/4/97 -0500, you wrote: >On Mon, 5 May 1997, Kevin McPeake wrote: > >> But if you want to stay Mac only, without having to fork out the cash for >> a Apple AIX box (which they are dropping support for AIX, thanks in part > >*cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, >AIX is IBM, A/UX is Apple ;) > No, he does mean IBM AIX running on an Apple Hardware platform. It came out a couple of years ago. I watched an interesting demo where the engineer pulled the only hard disk module out of the server and then plugged it back in and rebooted the beast and it worked just fine. Interesting use of a log file. The entire box is field strip-able in about 90 seconds (including the motherboard drop-in rails that slide out of the case and dual hot swappable power supplies). It will run most standard AIX software and speaks fluent Appletalk. If I had 50 more Macs in my shop I would have bought one for a server. Strange bedfellows (IBM and Apple)! Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][] [] Ken_Stephens@miconsulting.com (313) 876-5081 [] [] Senior Capacity Planner/I.S. Security Manager [] [] Michigan Employment Security Agency (MESA) [] [] Millennium Consulting [] [] [] [] Your Security Policy is only as strong as your [] [] organization's commitment to it. [] [][][][][][][][][][][][][][][][][][][][][][][][][][][] From owner-firewalls-outgoing Sun May 4 22:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25912 for firewalls-outgoing; Sun, 4 May 1997 21:58:27 -0700 (PDT) Received: from tempest.stu.rpi.edu (tempest.stu.rpi.edu [128.113.167.164]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA25905 for ; Sun, 4 May 1997 21:58:22 -0700 (PDT) Received: from localhost (jester@localhost) by tempest.stu.rpi.edu (8.8.5/8.8.3) with SMTP id AAA00308; Tue, 6 May 1997 00:59:45 -0400 Date: Tue, 6 May 1997 00:59:45 -0400 (EDT) From: Jester To: Lucas Buckler-Carey cc: firewalls@greatcircle.com, ntsecurity@iss.net Subject: Re: [NTSEC] Re: L0pht Scanning - Beware In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 28 Apr 1997, Lucas Buckler-Carey wrote: > > What, may I ask, did l0pht do to your system? > If they are true hackers in the sense of the word they didn't do jack > shit. Mabey took a peek at some info you didn't want anyone to see but > that's all. Perhaps they even gave everyone with a modem access to all > your data. You would say that I am a hacker and encourage others to be > hackers. You might be right. I've broken into systems and looked at some > info I perhaps wasn't allowed to. So what? Organized hacker groups won't > do anything to your personal life if you don't do anything to thiers. We > all want information. You want it. I want it. Everyone on this list > wants it. Everyohne with a computer wants it. That is what a hacker is. > Someone who wants information from a computer or about a computer and > won't let a security system get in the way. Unless they crashed your I don't think you really know what a hacker is. It has nothing to do with cracking into systems. It is messages like yours which perpetuates this attitude in the media and with the masses. You may very well be a hacker, and according to your description you are indeed a cracker, and finally you conclusions are correct that l0pht are hackers in the true sense of the word (as Ibelieve they are) then they most likely did nothing ... however, you seem to have a warped view of just what a hacker does. :) From owner-firewalls-outgoing Sun May 4 23:54:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA03911 for firewalls-outgoing; Sun, 4 May 1997 23:49:42 -0700 (PDT) Received: from porsche.inabbdb.co.in ([206.103.13.101]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA03840 for ; Sun, 4 May 1997 23:49:16 -0700 (PDT) Received: from bmw.inabbdb.co.in (bmw [192.168.0.4]) by porsche.inabbdb.co.in (8.6.12/8.6.9) with SMTP id PAA00357; Mon, 5 May 1997 15:11:12 +0500 Received: from localhost by bmw.inabbdb.co.in; (5.65v3.2/1.1.8.2/30Mar96-1218PM) id AA13814; Mon, 5 May 1997 12:20:46 +0500 Message-Id: <336D8A4E.794B@porsche.inabbdb.co.in> Date: Mon, 05 May 1997 12:20:46 +0500 From: Raju Krishnan X-Mailer: Mozilla 3.0Gold (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: jonw@mntcmp2.demon.co.uk Cc: firewalls@GreatCircle.COM Subject: Firewall routing problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mr Jon, We are facing the same problem in our network as you have mentioned in posting on Oct, 1996. How did you solve your problem regarding pinging to router from internal n/w. We have a class C of our own private network address 192.168.0.*. Netmask is 255.255.255.0. ------- | |eth0 206.103.13.97 Leased line--|Cisco |------- 202.54.5.194 |2501 | | Net: 255.255.255.240 ------- | |eth1 206.103.13.101 __________ | Linux | | Gateway | Firewall FWTK |__________| | |eth0 192.168.0.3 Net: 192.168.0.0 | ---------------------------------- | | | | Other Digital Unix Machines with Netmask 192.168.0.0 Information: Firewall is Linux machine running FWTK (freeware Firewall). CISCO router is 2501 running IPX. Cisco router has following router IP commands. interface Ethernet0 ip address 206.103.13.97 255.255.255.240 ! interface Serial0 ip address 202.54.5.193 255.255.255.252 ! interface Serial1 no ip address shutdown ! router rip network 206.103.13.0 network 202.54.5.0 ! ip route 0.0.0.0 0.0.0.0 202.54.5.194 snmp-server community public RO Linux firewall has default routing to router. The problem we are facing is. The firewall can ping the router and all outside machines on internet. The firewall can ping the internal local machines. The router can ping the internet and the firewall eth0 and eth1 but cannot ping across the firewall to internal machines. Similarly internal machines 192.168.0.1, 192.168.0.2 etc can ping both eth1 and eth0 of linux but cannot ping the router eth0 or outside world. Questions: Does the router also need another route ip command to tell the packets going to the inside net that they have to go via the firewall gateway interface 206.103.13.101? 2. Similarly does the firewall need to have two route commands issued one to pass down and one to pass the packets up via the firewall? Thanks and regards raju Please reply directly to raju@porsche.inabbdb.co.in -- ----------------------------------------------------------------- RAJU KRISHNAN __0 _-\<,_ ABB Daimler Benz Transportation(India) Ltd (_)/ (_) Phone : +91 265 336486 Ext: 432 & +91 265 311766 Fax : +91 265 338368 Email : raju@porsche.inabbdb.co.in ------------------------------------------------------------------ From owner-firewalls-outgoing Mon May 5 00:54:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08502 for firewalls-outgoing; Mon, 5 May 1997 00:52:32 -0700 (PDT) Received: from nimue.jammed.com (jammed.com [165.227.120.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08495 for ; Mon, 5 May 1997 00:52:26 -0700 (PDT) Received: (from deadmail@localhost) by nimue.jammed.com (8.8.5/8.8.5) id AAA07243; Mon, 5 May 1997 00:54:39 -0700 Received: from nimue.jammed.com (gate.jammed.com) by gate.jammed.com (deadmail-1.1/JAMMED) via SMTP; Mon May 5 00:54:38 1997 Date: Mon, 5 May 1997 00:54:36 -0700 (PDT) From: "James W. Abendschan" To: firewalls@greatcircle.com, Raju Krishnan Subject: Re: Firewall routing problem In-Reply-To: <336D8A4E.794B@porsche.inabbdb.co.in> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Raju Krishnan wrote: > We are facing the same problem in our network as you have mentioned in > posting on Oct, 1996. How did you solve your problem regarding pinging > to router from internal n/w. [ ... ] > The problem we are facing is. > > The firewall can ping the router and all outside machines on internet. This is normal. > The firewall can ping the internal local machines. This is normal. > The router can ping the internet and the firewall eth0 and eth1 but > cannot ping across the firewall to internal machines. This too is normal. The router should not be able to reach the internal machines; the router is, for all intents and purposes, the Internet. If the Internet router can reach your internal network, what is the point of a firewall? > Similarly internal machines 192.168.0.1, 192.168.0.2 etc can ping both > eth1 and eth0 of linux but cannot ping the router eth0 or outside world. This too is normal behaviour, unless you've configured your Linux firewall to do ICMP masquerading (kernel 2.0.30 has support for this.) Check out /usr/src/linux/Documentation/networking/masquerading.txt. You don't want the Internet to be able to ping your systems, and you don't necessarily want your systems to ping the Internet. If you do, then you'll need to employ some form of masquerading. James -- James W. Abendschan jwa@jammed.com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson From owner-firewalls-outgoing Mon May 5 01:39:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA12756 for firewalls-outgoing; Mon, 5 May 1997 01:30:00 -0700 (PDT) Received: from monolith.synergy.net (monolith.synergy.net [198.207.229.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA12741 for ; Mon, 5 May 1997 01:29:52 -0700 (PDT) Received: from localhost (sandeep@localhost) by monolith.synergy.net (8.8.5/8.8.5) with SMTP id DAA08160 for ; Mon, 5 May 1997 03:33:50 -0500 Date: Mon, 5 May 1997 03:33:50 -0500 (CDT) From: Sandeep Kumar Talwar To: firewalls@greatcircle.com Subject: Re:Firewalls-Digest V6#197 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a TIS Http proxy running on my Linux. I want to restrict two particular sites from access to our staff. Could someone tell me as to where in which file to make the necessary changes. I guess there is a mailing list for TIS tool-kit users as well,where is it? Thanks in advance. From owner-firewalls-outgoing Mon May 5 01:54:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA13557 for firewalls-outgoing; Mon, 5 May 1997 01:36:21 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13550 for ; Mon, 5 May 1997 01:36:16 -0700 (PDT) Received: from France.Sun.COM ([129.157.188.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id BAA12459; Mon, 5 May 1997 01:49:23 -0700 Received: from sunaix.France.Sun.COM by France.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id KAA00862; Mon, 5 May 1997 10:36:13 +0200 Received: from galaxia by sunaix.France.Sun.COM (SMI-8.6/SMI-SVR4) id KAA20962; Mon, 5 May 1997 10:36:09 +0200 Date: Mon, 5 May 1997 10:27:53 +0200 (MET DST) From: Eric Deschamps Reply-To: Eric Deschamps Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: "Marc D. Jackson" Cc: Jerald Josephs , firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: "Your message with ID" <199705021453.HAA10734@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > No, but it will make it easier to subnet your intranet without > > loosing precious IP addresses to a subnet without enough > > hosts to use all of the addresses. > > ? I don't understand this last sentence. My exposure to VLSM indicates > that it has nothing to do with subnetting your intranet. I ran into > this problem when trying to route with rip. Specifically, Sun's > implementation of the routing socket interface is not the industry > standard. In other words, when you use a Sun machine as a multi-homed > host with subnetted networks the rip updates are incorrect. The routers > that we used had no problems at all in dealing with the subnetted > networks, therefore while we were able to subnet our intranet we had > problems with using Sun's as any type of router. > > mj Marc, It seems that VLSM stands for "variable-length subnet mask", so it looks like it has to do with subnetting your intranet. RIP has no knowledge of subnet addressing, so I am not sure to understand what is the meaning of "Sun's implementation of the routing socket interface is not the industry standard". Which standard is it ? It is a RIP problem, RIP2 adress this problem (and others as well) without any ambiguity. Rgds, Eric From owner-firewalls-outgoing Mon May 5 03:39:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA25273 for firewalls-outgoing; Mon, 5 May 1997 03:26:06 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA25266 for ; Mon, 5 May 1997 03:25:58 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id MAA08254; Mon, 5 May 1997 12:27:43 +0200 Date: Mon, 5 May 1997 12:27:42 +0200 (MET DST) From: Kevin McPeake To: Brian Tackett cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 4 May 1997, Brian Tackett wrote: > On Mon, 5 May 1997, Kevin McPeake wrote: > > > But if you want to stay Mac only, without having to fork out the cash for > > a Apple AIX box (which they are dropping support for AIX, thanks in part > > *cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, > AIX is IBM, A/UX is Apple ;) ehhhh.....NO. :) The Apple Network Servers run AIX, not A/UX. Apple dropped A/UX over a few years ago, but last year, they released some beasts of some machines that specifically were built for IBM AIX. Quite nice machines too, but now Apple has announced that they will be discontinuing support for AIX in the future, and supporting Rhapsodey on them which is basically NeXTStep. This is why Sun is in a bit of a freenzy about the Apple/Next merger. If you have more Questions about this, I'd be glad to answer them, but let's keep this to firewalls on the list. ......after all, I know how you hate high S/N ratio's Brian. ;) Cheers, Kev Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Mon May 5 04:24:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA29017 for firewalls-outgoing; Mon, 5 May 1997 04:13:03 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA29009 for ; Mon, 5 May 1997 04:12:43 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id TAA04067; Mon, 5 May 1997 19:17:56 +0300 Date: Mon, 5 May 97 14:09:40 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: Gabriel Dura Cc: firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336D7E4B.6390@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Sun, 04 May 1997 23:29:31 -0700 Gabriel Dura wrote: > Sorry but all porn sites I personally checked have that meta included in > their header. Please note that every civilised country in the world have > regulations about children's access to pornography, violence, etc. I'm > sure there is an Internet standard on this subject... And all sites that > are placed in such countries must obey the laws... > > Other such sites have other meta like this one for instance: > pronography that don't have any kind of warning in their HTML source and > I'll believe you... If you say that most of these web sites don't have > it I'm sure you can give me a lot of examples... > > And yes if your boss wants to restrict access to all personell to porn > sites and prevent all people from abusing the net then it is necesary to > do it. You don't need a list of the porn sites to do this... This is > just a waste of money... > here are some: the point is that I do not know of any written law that says that they should use these types of META tags. there are sites that can be blocked this way and I have found that one of the ways list providers update their list is by doing a search like this but there are many sites that do not match this META tag. Monitoring is needed, but monitoring can give you TOO mach information. this is exactly why you need to define what exactly you want to monitor. you can say that you want to log all WWW access but it is better to log only the text ones and not the binaries (like gif etc.) it is also important to log / monitor / block by specific keywords that exist in the text like drugs, sex etc. (if you want to do so) /Ziv Dascalu From owner-firewalls-outgoing Mon May 5 04:54:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01328 for firewalls-outgoing; Mon, 5 May 1997 04:44:24 -0700 (PDT) Received: from cscuxfw.cscploenzke.de (cscuxfw.cscploenzke.de [194.45.145.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA01248 for ; Mon, 5 May 1997 04:44:03 -0700 (PDT) Received: from win95-keller by cscuxfw.cscploenzke.de with smtp (Smail3.1.29.0 #3) id m0wOMDc-000AyGC; Mon, 5 May 97 13:46 CETDST Received: by win95-keller with Microsoft Mail id <01BC595B.365B9980@win95-keller>; Mon, 5 May 1997 13:49:54 +0200 Message-ID: <01BC595B.365B9980@win95-keller> From: Stefan Keller To: "'firewalls-digest@GreatCircle.com'" Subject: Firewall-1 in NT environment Date: Mon, 5 May 1997 13:49:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there! :-) We're about to install a Firewall-1 NT v3.0. The customer has mostly NT machines. I'd like FW-1 to be able to look up the NT passwords (as stored on the PDC). Check Point wrote me that the *internal* NT passwords (on the bastion host) are a means of authentification. Don't feel good about making the bastion host part of a NT domain. Any opinions/ideas/pointers? Stefan From owner-firewalls-outgoing Mon May 5 05:09:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01639 for firewalls-outgoing; Mon, 5 May 1997 04:46:25 -0700 (PDT) Received: from doc1.ces-galicia.es (ppp.cesga.es [193.144.33.120]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA01420 for ; Mon, 5 May 1997 04:45:12 -0700 (PDT) Message-Id: <199705051145.EAA01420@honor.greatcircle.com> Received: from ro [192.168.2.10] by doc1.ces-galicia.es [192.168.2.10] with SMTP (MDaemon.v2.1.rA.b1.32-T) for ; Mon, 05 May 97 13:21:28 +0100 Reply-To: From: "=?ISO-8859-1?Q?Roberto_Rodr=EDguez_Fern=E1ndez?=" To: Subject: RE: [Firewall] Need to restrict http://www.nude.com and such Date: Mon, 5 May 1997 13:21:07 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-MDMail-Server: MDaemon v2.1 rA b1 32-T X-MDaemon-Deliver-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just as an example -- say my company had a policy against my visiting > www.nude.com. Well, there's nothing to stop me from getting another > account elsewhere and visiting that site from there, either using > telnet/lynx or, if I have use of a modem from my desk, even opening up a > ppp connection and using Netscape. It's a lot harder to outwit employees > than it is to discipline them for violating the rules once they're caught. There are some sites you can access, and from this you access another site. Can the logs reflect this?. Roberto. From owner-firewalls-outgoing Mon May 5 05:24:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA04391 for firewalls-outgoing; Mon, 5 May 1997 05:09:14 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA04351 for ; Mon, 5 May 1997 05:09:03 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA50592; Mon, 5 May 1997 15:09:26 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862866740; Mon, 05 May 97 14:04:00 GMT Date: Mon, 05 May 97 14:04:00 GMT Message-Id: <9704058628.AA862866740@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #200 Sent: 5/5/97 2:02:00 PM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 05:27:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01326 for firewalls-outgoing; Mon, 5 May 1997 04:44:22 -0700 (PDT) Received: from sunsrv5.lrz-muenchen.de (sunsrv5.lrz-muenchen.de [129.187.10.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA01237 for ; Mon, 5 May 1997 04:43:59 -0700 (PDT) Received: from ifkw-2.ifkw.uni-muenchen.de by sunsrv5.lrz-muenchen.de; Mon, 5 May 97 13:45:55 +0200 Received: from IFKW-2/SpoolDir by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31); 5 May 97 13:45:24 GMT +01 Received: from SpoolDir by IFKW-2 (Mercury 1.31); 5 May 97 13:45:13 GMT +01 From: "Peter Meuser" Organization: IfKW, UNI Munich To: firewalls@greatcircle.com Date: Mon, 5 May 1997 13:45:07 MET-1MEST MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Attack hole in EagleNT 4.0 with port scan? Reply-to: pmeuser@ifkw.uni-muenchen.de X-mailer: Pegasus Mail for Windows (v2.52) Message-ID: <1A9FA7C5AE8@ifkw-2.ifkw.uni-muenchen.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anybody out who can retry the following szenario with Raptor EagleNT 4.0? There seem to be a problem with the gopher proxy (gopherd.exe) of EagleNT. QuickSlice of NTReskit shows, that after scanning port 70 of the firewall gateway with UltraScan 1.2 gopherd.exe will nearly get 100% of the processors attention and won't come down anymore. The only solution to get the process down is to stop and restart the Eagle service. After that, gopherd.exe is resistant to the port scan attack. So this szenario only works with a fresh booted system. In my eyes this is a very mysterious bug in EagleNT 4.0 (I have installed the first patch epint40.exe). Any comments? Peter ---------------------------------------------------------------------- Peter Meuser Internet: pmeuser@ifkw.uni-muenchen.de CompuServe: 75310,673 LANline-LAB Telefon: (089) 27 222 33 Munich/Germany FAX: (089) 27 222 28 ---------------------------------------------------------------------- From owner-firewalls-outgoing Mon May 5 05:40:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05956 for firewalls-outgoing; Mon, 5 May 1997 05:18:51 -0700 (PDT) Received: from pwadns.pwa.co.in ([206.103.11.181]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA05917 for ; Mon, 5 May 1997 05:18:38 -0700 (PDT) From: Sandeep_Talwar@INDIA.notes.pwa.co.in Received: from notesgw.pwa.co.in (notes2.pwa.co.in [206.103.11.180]) by pwadns.pwa.co.in (8.6.12/8.6.9) with SMTP id RAA02715 for ; Mon, 5 May 1997 17:58:45 +0500 Received: by notesgw.pwa.co.in(Lotus SMTP MTA Release 1.0) id 6525648E.00444098 ; Mon, 5 May 1997 17:55:29 +300500 X-Lotus-FromDomain: INDIA @ INTERNET To: Firewalls@GreatCircle.COM Message-ID: <6525648E:00439417.00@notesgw.pwa.co.in> Date: Mon, 5 May 1997 17:55:24 +300500 Subject: Re: Firewalls-Digest V6 #199 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our mail configuration is ----> all incoming mail received at a Linux host running sendmail and this is forwarded to a Lotus Notes server. Where should I be scanning emails---- at the Linux box or on the box running Lotus Notes( OS is OS/2 ). And what are some good email scanning products that any one of you know or are using it. Thanks in advance. sandeep From owner-firewalls-outgoing Mon May 5 05:56:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09419 for firewalls-outgoing; Mon, 5 May 1997 05:41:43 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA09301 for ; Mon, 5 May 1997 05:41:16 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA83492; Mon, 5 May 1997 15:41:41 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862868670; Mon, 05 May 97 14:41:00 GMT Date: Mon, 05 May 97 14:41:00 GMT Message-Id: <9704058628.AA862868670@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #197 Sent: 5/5/97 2:38:00 PM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 06:49:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16259 for firewalls-outgoing; Mon, 5 May 1997 06:19:22 -0700 (PDT) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA16176 for ; Mon, 5 May 1997 06:19:06 -0700 (PDT) Received: from ppp10.sminter.com.ar (ppp10.sminter.com.ar [200.10.100.26]) by ns1.sminter.com.ar (8.8.4/8.8.4) with ESMTP id KAA20828 for ; Mon, 5 May 1997 10:20:22 +0300 (GMT) Message-ID: <336E0911.6EA7@usa.net> Date: Mon, 05 May 1997 10:21:37 -0600 From: Arnaud Ventura Reply-To: a-ventura@usa.net Organization: BNP X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Solution with Novell ? X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know a little about the Secure Solution of Novell for connection to the Net ? Arnaud --------------------------------------------------- Arnaud Ventura mail: a-ventura@usa.net 25 de Mayo 471 Tel : (54).1 318 0331 Buenos Aires ---------------------------------------------------- From owner-firewalls-outgoing Mon May 5 06:55:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18892 for firewalls-outgoing; Mon, 5 May 1997 06:31:27 -0700 (PDT) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA18828 for ; Mon, 5 May 1997 06:31:13 -0700 (PDT) Received: from ppp10.sminter.com.ar (ppp10.sminter.com.ar [200.10.100.26]) by ns1.sminter.com.ar (8.8.4/8.8.4) with ESMTP id KAA23633 for ; Mon, 5 May 1997 10:32:46 +0300 (GMT) Message-ID: <336E0BF8.360C@usa.net> Date: Mon, 05 May 1997 10:34:00 -0600 From: Arnaud Ventura Reply-To: a-ventura@usa.net Organization: BNP X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: FW Solution ? X-Priority: 3 (Normal) References: <199705021727.KAA00469@honor.greatcircle.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a Novell Network and we want to connect it to the Net. Is there specific and appropriate solutions to handle the security on it ? Obviously, the cheapest, the better... For Info, we are more on the NT side than the Unix one... Arnaud --------------------------------------------------- Arnaud Ventura mail: a-ventura@usa.net 25 de Mayo 471 Tel : (54).1 318 0331 Buenos Aires ---------------------------------------------------- From owner-firewalls-outgoing Mon May 5 07:14:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA19432 for firewalls-outgoing; Mon, 5 May 1997 06:33:45 -0700 (PDT) Received: from [131.136.47.5] (valet.dreo.dnd.ca [131.136.47.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA19409 for ; Mon, 5 May 1997 06:33:38 -0700 (PDT) Received: from caen-sp.e33.dreo.dnd.ca ([131.136.46.12]) by [131.136.47.5] via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 5 May 1997 13:34:43 UT Received: from ephese-sp ([131.136.46.10]) by caen-sp.cps.dreo.dnd.ca (post.office MTA v2.0 0813 ID# 0-28788U510) with SMTP id AAA278 for ; Mon, 5 May 1997 09:39:53 -0400 Message-Id: <3.0.1.32.19970505093953.00944100@caen-sp.cps.dreo.dnd.ca> X-Sender: marinier@caen-sp.cps.dreo.dnd.ca X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 05 May 1997 09:39:53 -0400 To: Firewalls@GreatCircle.COM From: claude.marinier@dreo.dnd.ca (Marinier, Claude) Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With DHCP, one will have to define generic hostnames for the >range of IP addresses used in the IP allocation and you will >not be able to do Authentication for a user coming from a >particular host. Are there not DNS systems which take input from DHCP servers and provide correct answers to queries? I heard that Microsoft was going to do just that with some version of NT. Can anyone confirm or deny this? ____________________ Claude Marinier Information Technology Group Defence Research Establishment Ottawa (DREO) Claude.Marinier@dreo.dnd.ca http://www.dreo.dnd.ca 613-998-4901 FAX 613-998-2675 From owner-firewalls-outgoing Mon May 5 07:45:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26148 for firewalls-outgoing; Mon, 5 May 1997 07:27:33 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26129 for ; Mon, 5 May 1997 07:27:25 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id WAA06094; Mon, 5 May 1997 22:32:18 +0300 Date: Mon, 5 May 97 17:27:05 Israel Daylight Time From: Ziv Dascalu Subject: Re: Solution with Novell ? To: Arnaud Ventura , Firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <336E0911.6EA7@usa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 05 May 1997 10:21:37 -0600 Arnaud Ventura wrote: > Does anyone know a little about the Secure Solution > of Novell for connection to the Net ? > > Arnaud > > --------------------------------------------------- > Arnaud Ventura mail: a-ventura@usa.net > 25 de Mayo 471 Tel : (54).1 318 0331 > Buenos Aires > ---------------------------------------------------- ---------------End of Original Message----------------- Arnaud, Novell has a solution called IntraNetWare which does tcp over ipx but it is used mainly within the intranet. It may considered more secure since most of the tcp/ip "attack tool" build a TCP frame and not a TCP over IPX packet frames. Ziv Dascalu ABIRNET Active Network Protection http://www.AbirNet.com From owner-firewalls-outgoing Mon May 5 08:10:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29077 for firewalls-outgoing; Mon, 5 May 1997 07:46:59 -0700 (PDT) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA29048 for ; Mon, 5 May 1997 07:46:49 -0700 (PDT) From: MSITMI02.XZ46G8@eds.com Received: from nnsa.eds.com (nnsa.eds.com [130.174.31.78]) by ns1.eds.com (8.8.5/8.8.5) with ESMTP id KAA31368 for ; Mon, 5 May 1997 10:49:06 -0400 (EDT) Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsa.eds.com (8.8.5/8.8.5) with SMTP id KAA10686 for ; Mon, 5 May 1997 10:48:34 -0400 (EDT) X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.com X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000011433556000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000011433556000002*@MHS> To: "firewalls(a)GreatCircle.com":; Subject: Re: Need to restrict http://www.nude.com Date: Mon, 5 May 1997 10:52:52 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone ever realised what a great denial of service attack it is to get your competitor onto one of the automated lists of restricted URLs? It could hang around and get propagated for months, years. This has happened. I downloaded a list a while back that denied access to the whole domain of demon.co.uk. For those who don't know it is not a satanic objects mail-order or game company but a large UK ISP offering mail and web services to thousands of people. distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 From owner-firewalls-outgoing Mon May 5 08:25:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03767 for firewalls-outgoing; Mon, 5 May 1997 08:16:48 -0700 (PDT) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03759 for ; Mon, 5 May 1997 08:16:42 -0700 (PDT) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.5/8.8.5) with SMTP id KAA06089; Mon, 5 May 1997 10:17:32 -0500 (CDT) Date: Mon, 5 May 1997 10:17:31 -0500 (CDT) From: Brian Tackett X-Sender: cym@pluto To: Ken Stephens cc: firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: <199705050451.AAA14892@Fe3.rust.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Ken Stephens wrote: > If I had 50 more Macs in my shop I would have bought one for a server. > Strange bedfellows (IBM and Apple)! Wow :) I stand corrected, and the pink pig flying past my window is scolding me ferociously. This wouldn't be some weird offshoot of the whole Taligent/Pink mess would it? From owner-firewalls-outgoing Mon May 5 08:39:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05880 for firewalls-outgoing; Mon, 5 May 1997 08:32:11 -0700 (PDT) Received: from mail.Germany.EU.net (mail.germany.eu.net [192.76.144.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA05789 for ; Mon, 5 May 1997 08:31:53 -0700 (PDT) Received: by mail.Germany.EU.net with SMTP (5.59+:34/2.6.2.c) id RAA29970; Mon, 5 May 1997 17:34:07 +0200 Received: by nt-internal-hu.medos.de with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC597A.19FCA080@nt-internal-hu.medos.de>; Mon, 5 May 1997 17:31:01 +0100 Message-ID: From: "Judas, Roland" To: "'Firewalls@GreatCircle.COM'" Subject: RE: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Date: Mon, 5 May 1997 17:30:00 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Microsoft RFC compliant DNS implementation in Windows NT 4.0 does not offer a direct integration with DHCP but with the WINS (Windows Internet Name Service). The WINS service is tightly integrated with the DHCP service and therefore has some advantages over DNS. Because the Clients register themselves with the WINS server at boot time, a WINS query will return the current client (even dynamic) IP address. The disadvantages are that this service is only used in the MS Windows and Lan-Manager environment and there is no hierarchical structure like in DNS. With NT 4.0 the WINS is integrated with DNS in the way that the MS DNS server knows about a WINS server and is able to forward queries and reverse lookups to it. They have done it using a MS specific record in MS DNS service ( IN WINS ). This enables you to have the WINS lookup on a per domain basis. So, if you are working in a Windows environment, you can say that DNS is integrated with DHCP (if you use the WINS service). Roland Note: This is just a very short piece of information. There is much more to say about Windows Name resolution, but it would take me hours to explain. -----Original Message----- From: claude.marinier@dreo.dnd.ca [SMTP:claude.marinier@dreo.dnd.ca] Sent: Monday, May 05, 1997 2:40 PM To: Firewalls@GreatCircle.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Are there not DNS systems which take input from DHCP servers and provide correct answers to queries? I heard that Microsoft was going to do just that with some version of NT. Can anyone confirm or deny this? From owner-firewalls-outgoing Mon May 5 09:04:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA07242 for firewalls-outgoing; Mon, 5 May 1997 08:43:17 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA07217 for ; Mon, 5 May 1997 08:43:05 -0700 (PDT) Received: from uucp1.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp1.UU.NET [192.48.96.39]) id QQcofv23395; Mon, 5 May 1997 11:45:33 -0400 (EDT) Received: from mop.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Mon, 5 May 1997 11:45:23 -0400 Received: by mtb.phil.mop.com (4.1/SMI-4.1) id AA15260; Mon, 5 May 97 11:27:50 EDT Date: Mon, 5 May 97 11:27:50 EDT From: davez@mtb.phil.mop.com (Dave Zarnoch) Message-Id: <9705051527.AA15260@mtb.phil.mop.com> Apparently-To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please remove From owner-firewalls-outgoing Mon May 5 09:09:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA09087 for firewalls-outgoing; Mon, 5 May 1997 09:01:46 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA09078 for ; Mon, 5 May 1997 09:01:40 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id JAA14525; Mon, 5 May 1997 09:14:57 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id JAA00722; Mon, 5 May 1997 09:03:23 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id JAA10111; Mon, 5 May 1997 09:02:56 -0700 Date: Mon, 5 May 1997 09:02:56 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705051602.JAA10111@althea.EBay.Sun.COM> To: dechon@CS.Stanford.EDU, Eric.Deschamps@France.Sun.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: TZq3yphbOI/54M66Gx0rmg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > loosing precious IP addresses to a subnet without enough > > > hosts to use all of the addresses. > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > that it has nothing to do with subnetting your intranet. I ran into > > this problem when trying to route with rip. Specifically, Sun's > > implementation of the routing socket interface is not the industry > > standard. In other words, when you use a Sun machine as a multi-homed > > host with subnetted networks the rip updates are incorrect. The routers > > that we used had no problems at all in dealing with the subnetted > > networks, therefore while we were able to subnet our intranet we had > > problems with using Sun's as any type of router. > > > > mj > > Marc, > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > it has to do with subnetting your intranet. RIP has no knowledge of subnet > addressing, so I am not sure to understand what is the meaning of "Sun's > implementation of the routing socket interface is not the industry standard". > Which standard is it ? It is a RIP problem, RIP2 adress this problem (and > others as well) without any ambiguity. > > Rgds, > > Eric Marc, I actually began a lengthy detailed response that I failed to get off before my mail utility did a no-no and I lost the composition. VLSM is refers to the same thing as CIDR, Classless Internet Domain Routing. For those who may not be familiar with this, CIDR addresses the problem that the Internet is seeing with the explosion of Class C addresses all over the place. Traditionally, to reach a network, you need a route. With so many new networks, you need a robust routing table. The shortage of Class B addresses have forced companies to subnet their Class B into Class C. This creates numerous new routing table entries. CIDR says that if you own 192.168.0.0, then I can assume that 192.168.1.0 through 192.168.255.0 are all within your domain, so all I need is a single route to 192.168.0.0 to handle all of the subnets. The problem was that the earlier versions of routed shipped with Solaris as well as the kernel IP routing module, could not handle this. Variable Length Subnet Masks is what is used to faciliate the implementation of CIDR. That is what the CONSULT-VLSM patch provides: this ability to handle this. /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM From owner-firewalls-outgoing Mon May 5 09:24:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA08023 for firewalls-outgoing; Mon, 5 May 1997 08:51:30 -0700 (PDT) Received: from homeport.org ([205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA08016 for ; Mon, 5 May 1997 08:51:25 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA01590 for firewalls@greatcircle.com; Mon, 5 May 1997 11:51:00 -0400 (EDT) From: Adam Shostack Message-Id: <199705051551.LAA01590@homeport.org> Subject: Chrooting DNS To: firewalls@greatcircle.com (Firewalls mailing list) Date: Mon, 5 May 1997 11:51:00 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote a short doc on chrooting dns, in the hopes that it will help protect against the next set of stack smashing bugs in the named server. http://www.homeport.org/~adam/dns.html Feedback welcome. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Mon May 5 09:50:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06971 for firewalls-outgoing; Mon, 5 May 1997 08:40:48 -0700 (PDT) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA06948 for ; Mon, 5 May 1997 08:40:36 -0700 (PDT) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC592F.93AA0760@exch-bel1.attachmate.com>; Mon, 5 May 1997 08:37:33 -0700 Message-ID: From: Darren Cromer To: "'claude.marinier@dreo.dnd.ca'" , "'Firewalls@GreatCircle.COM'" Subject: RE: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Date: Mon, 5 May 1997 08:40:55 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Microsoft DNS shipped with NT4.0 will query a WINS server and respond with the Wins Netbios name. Its an OK DNS, not great, but it is stable. -----Original Message----- From: claude.marinier@dreo.dnd.ca [SMTP:claude.marinier@dreo.dnd.ca] Sent: Monday, May 05, 1997 9:40 AM To: Firewalls@GreatCircle.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts >With DHCP, one will have to define generic hostnames for the >range of IP addresses used in the IP allocation and you will >not be able to do Authentication for a user coming from a >particular host. Are there not DNS systems which take input from DHCP servers and provide correct answers to queries? I heard that Microsoft was going to do just that with some version of NT. Can anyone confirm or deny this? ____________________ Claude Marinier Information Technology Group Defence Research Establishment Ottawa (DREO) Claude.Marinier@dreo.dnd.ca http://www.dreo.dnd.ca 613-998-4901 FAX 613-998-2675 From owner-firewalls-outgoing Mon May 5 10:06:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11382 for firewalls-outgoing; Mon, 5 May 1997 09:21:58 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA11355 for ; Mon, 5 May 1997 09:21:49 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 9300 invoked by uid 1001); 5 May 1997 16:23:46 -0000 Message-ID: <19970505162346.9299.qmail@hanshan.bbnplanet.com> Subject: Re: Firewall routing problem To: raju@porsche.inabbdb.co.in (Raju Krishnan) Date: Mon, 5 May 1997 12:23:45 -0400 (EDT) Cc: jonw@mntcmp2.demon.co.uk, firewalls@GreatCircle.COM In-Reply-To: <336D8A4E.794B@porsche.inabbdb.co.in> from "Raju Krishnan" at May 5, 97 12:20:46 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ------- > | |eth0 206.103.13.97 > Leased line--|Cisco |------- > 202.54.5.194 |2501 | | Net: 255.255.255.240 > ------- | > |eth1 206.103.13.101 > __________ > | Linux | > | Gateway | Firewall FWTK > |__________| > | > |eth0 192.168.0.3 Net: 192.168.0.0 > | > ---------------------------------- > | | > | | > Other Digital Unix Machines with Netmask 192.168.0.0 > > Information: > > Firewall is Linux machine running FWTK (freeware Firewall). CISCO router > is 2501 running IPX. > > The firewall can ping the router and all outside machines on internet. Yep, thats normal. > The firewall can ping the internal local machines. Yep, thats normal too. > The router can ping the internet and the firewall eth0 and eth1 but > cannot ping across the firewall to internal machines. Right, because you have nothing forwarding along the ICMP packets to your internal network. You *don't* want people to be able to ping your internal hosts, and you don't really want internal people to be able to ping external hosts aswell.. Allowing ICMP through a firewall is a bad idea in general as people can use it to tunnel information over it, map your internal network, etc.. bad bad bad. > > Does the router also need another route ip command to tell the packets > going to the inside net that they have to go via the firewall gateway > interface 206.103.13.101? > Nope, the problem you are running into is because there is nothing in the linux box telling it to forward the packets through the interfaces. Trust me though, you do *not* want to forward the packets through though. -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Mon May 5 11:03:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA21517 for firewalls-outgoing; Mon, 5 May 1997 10:13:37 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA21489 for ; Mon, 5 May 1997 10:13:29 -0700 (PDT) From: arager@mcgraw-hill.com Received: by interlock.mgh.com id AA17119 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 5 May 1997 13:15:01 -0400 Message-Id: <199705051715.AA17119@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Mon, 5 May 1997 13:15:01 -0400 Date: Mon, 05 May 97 11:07:21 edt To: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I still find this sort of thread hilarious. Ok, my hand's up for being the one to find all those dirty sites!:>> Is this what the job of security administrator has been reduced to.....smut hunter??? Next we will be searching thru desks for playboys and such...by the way..hand over those dirty pictures in your wallet! What's the difference between users bringing diskettes from home with this stuff on them, and users downloading it from the net?? I have to agree, technology is not the problem......policy and management is. If it is against policy for folks to have/view certain materials at work, then it against policy...period. If an employee has items that against policy, then management should take the proper measures. But, content transfer is not very enforcable...There are too many ways to transfer information for companies to monitor and enforce all of them. [I am reminded of the recent stupid Soloman Bros. post -- people can use many different methods to carry info in and out of a company besides HTTP/Email....] Do we want to monitor FAX, modem, diskettes, Info on Laptops, phone calls, Email Content, Internet URLs, LAN traffic, SMail, and all paper in and out of the company? I don't think I want to work for an organization that invades my privacy to quite that extent. A better solution is to arrange folks that are not trustworthy [something tells me this is probably due to poor management] in the traditional 'bullpen' type office......That way the paranoid managers can see and hear everything the employee does. Timesheets [as much as I hate them] will probably also reveal an employee's work ethic. Probably the more reasonable solution is to report URL and email usage stats back to the employee and manager. This gives the manager some indication of technology usage -- which may or may not be appropriate for the particular employee's job. [ie - 1GB/day HTTP transfers for a data entry clerk may be a bit excessive?] Sorry to waste even more bandwidth on this topic. The above opinions are entirely mine. Anton Rager Standard & Poor's Compustat arager@McGraw-Hill.com From owner-firewalls-outgoing Mon May 5 12:02:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA24494 for firewalls-outgoing; Mon, 5 May 1997 10:35:27 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA24472 for ; Mon, 5 May 1997 10:35:19 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA19616; Mon, 5 May 1997 12:23:11 -0400 Date: Mon, 5 May 1997 12:23:07 -0400 (EDT) From: Rabid Wombat To: Alan cc: Dominick Glavach , firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Alan wrote: > On Fri, 2 May 1997, Dominick Glavach wrote: > > > I know this is slightly off topic but I have need some advise or some products > > that will restrict http access to sites such as www.porn.com. Aside from > > building an exhaustive list on my proxy what else can I do. Thanks for the > > help. > > Try finding the wire leading from your firewall out to the Internet. Take > a large pair of wire cutters and cut that wire. (Be careful not to > confuse the power cord with this wire.) > > Filters are semi-useful at best. Since any of these filters can be > bypassed by web proxies, you will only filter out the more clueless of > your userbase. (Middle managers and sales people and the like.) You are > better off either cutting off access to the net to all (or most) of your > users or deal with problems as they occur. > > > I have seen actions like this taken before. Someone in management gets a > hair up their ass about "people for surfing for porn at work", and instead > of doing something that would require real hands on involvement, make a > request that puts the burden on another department. This sort of > management has all sorts of ramifications that are never taken into > account. It shows that management does not trust them. It makes the > lives of those who do need to use the net more difficult. (Especially > since many of these filters are overbroad and restrict legit sites.) It > also breeds contempt for both management and IS. All in all, not the best > situation. > > > If you are really wanting to deal with the "problem", I suggest using a > log on your web proxy and then deal with people who abuse the situation. > Filtering will cause more hastles than they will solve. > > I agree with Alan; I also think that when you start censoring traffic, you are, essentially, becoming a content providor, and *might* find a different set of rules applied to your organization for outbound content originating at your site. This is a Bad Thing(tm). I am not a lawyer, but I suggest you check with one in regard to this. I recommend that your organization formally notify its users that professional standards apply to the use of corporate computer equipment and network connections, just as they do to the use of corporate telephones, fax machines, and other resources. Detailing this in a memo, as well as in the next revision of the employee handbook is a good way to handle this. Most companies allow limited personal use of company resources without explicit limits; the computer equipment/network need not be different. If your company lets you call and make an appointment with your doctor, check up on child care, etc. from work, you probably fall into this category. Most people can see the difference between this and calling Uncle Bob in Katmandu for three hours a day on the company dime. Applying professional standards to personal use should be sufficient. Simply set up logging capability, and make sure that users are formally told that such capability exists. Formally define where the "right to privacy" ends. I would suggest that your policy be to log all site access and mail traffic, but that policy also dictate that no review of logs be performed without some "outside" probable cause, documented in an official memo. For example; your postmaster receives email requesting information regarding harassing email that appears to be originating from an address at your site. The MIS director issues a memo to a member of the IS staff to review the mail logs specifically to determine if such activity is taking place. Or: A worker complains that the person in the next cubicle frequently views offensive material on their PC; that person's supervisor sends a memo to MIS asking that the logs be reviewed to determine if such actions are taking place. This protects your organization from violating an employees "reasonable expectation of privacy", as long as the guidelines for use of equipment, logging capability, and review of such logs have been spelled out. I've also found that formally publishing such a policy is usually a significant deterent, as most of your "violaters" will stop if they know that their use patterns are being logged somewhere. Be alert for people who try to "burn" a co-worker by accessing "banned" sites from that user's station, and then geting someone to log a complaint; I've seen incidents like this as well. Best to set up policy that protects the company's interests, deters most casual abuse, etc., without turning MIS into the Info-Gestapo. Note, before starting a flame war / debate: I'm against censorship, in general, and think that people should be able to read/publish what they like. I don't think that their employer should be obligated to provide them the printing press, or pay them to indulge in their personal pursuits on company time. Home access is cheap. Read/write all you want from there. Once again, I am not a lawyer, this is free advice, and you generally get what you pay for. :) -r.w. From owner-firewalls-outgoing Mon May 5 12:06:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01649 for firewalls-outgoing; Mon, 5 May 1997 11:09:55 -0700 (PDT) Received: from burrito.insource.com (burrito.insource.com [206.97.180.105]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA01484 for ; Mon, 5 May 1997 11:09:25 -0700 (PDT) Received: (from rafec@localhost) by burrito.insource.com (8.8.5/8.7.3) id NAA03444; Mon, 5 May 1997 13:12:12 -0500 (CDT) Date: Mon, 5 May 1997 13:12:11 -0500 (CDT) From: Rafe Colburn To: Brian Tackett cc: Kevin McPeake , firewalls@GreatCircle.COM Subject: Re: macintosh firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apple has been building server boxes that run a licensed version of AIX 4.1.x for quite some time. They're supposedly pretty nice machines, although I've never seen one in action. >From what I've read most recently, with the latest reorg, Apple is not going to continue this product line and stick with building machines that run the MacOS or Rhapsody. They stopped working on A/UX quite awhile ago. Interestingly, you can run MkLinux on PowerMacs, although it's a pre-release version. See http://www.mklinux.apple.com for more info on that. On Sun, 4 May 1997, Brian Tackett wrote: > On Mon, 5 May 1997, Kevin McPeake wrote: > > > But if you want to stay Mac only, without having to fork out the cash for > > a Apple AIX box (which they are dropping support for AIX, thanks in part > > *cough* Do you mean AIX, or A/UX? Unless I've not kept pace with things, > AIX is IBM, A/UX is Apple ;) --- Rafe Colburn Consultant, Insource Technology Corp. [finger rafec@burrito.insource.com for PGP Public Key] From owner-firewalls-outgoing Mon May 5 12:10:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA05088 for firewalls-outgoing; Mon, 5 May 1997 11:40:52 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA05061 for ; Mon, 5 May 1997 11:40:42 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id LAA09206; Mon, 5 May 1997 11:42:58 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705051842.LAA09206@Xenon.Stanford.EDU> Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Eric.Deschamps@France.Sun.COM Date: Mon, 5 May 1997 11:42:57 -0700 (PDT) Cc: dechon@CS.Stanford.EDU, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: from "Eric Deschamps" at May 5, 97 10:27:53 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Deschamps writes: > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > loosing precious IP addresses to a subnet without enough > > > hosts to use all of the addresses. > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > that it has nothing to do with subnetting your intranet. I ran into > > this problem when trying to route with rip. Specifically, Sun's > > implementation of the routing socket interface is not the industry > > standard. In other words, when you use a Sun machine as a multi-homed > > host with subnetted networks the rip updates are incorrect. The routers > > that we used had no problems at all in dealing with the subnetted > > networks, therefore while we were able to subnet our intranet we had > > problems with using Sun's as any type of router. > > > > mj > > Marc, > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > it has to do with subnetting your intranet. RIP has no knowledge of subnet Perhaps this is a problem with terminology. On one machine if I have 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask 255.255.255.224 the rip updates from the machine contain information about the various subnets. This would indicate to me that "RIP" *does* understand subnetting. Are you saying that the packets on port 520 are *not* RIP updates? mj From owner-firewalls-outgoing Mon May 5 12:14:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04273 for firewalls-outgoing; Mon, 5 May 1997 11:34:33 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA04244 for ; Mon, 5 May 1997 11:34:25 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id LAA08161; Mon, 5 May 1997 11:33:13 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705051833.LAA08161@Xenon.Stanford.EDU> Subject: Re: VLSM, RIP, routing socket To: Andreas.Mueller@othello.ch (Dr Andreas F Muller) Date: Mon, 5 May 1997 11:33:13 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9705031428.AA11001@othello.ch> from "Dr Andreas F Muller" at May 3, 97 04:28:49 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr Andreas F Muller writes: > > "Marc D. Jackson" wrote: > > I ran into this problem when trying to route with rip. Specifically, > RIP cannot do subnets, unless you use RIP2. Ordinary routed does My understanding of subnetting was this: That you can steal bits from the host part of the ip address in order to create more networks. If that is not the following please explain what it is. ( Sun networking class. ) 192.168.100.33 netmask 255.255.255.224 192.168.100.65 netmask 255.255.255.224 192.168.100.97 netmask 255.255.255.224 > not understand RIP2. Many other OSes have the same problem, even > some products that call themselves routers. > > For a real router you need at least two preconditions: > . the kernel must understand subnet routes > . there must be a decent routing process that understands a real > routing protocol (in this sense, routed is not decent). > > > Sun's implementation of the routing socket interface is not the > > industry standard. In other words, when you use a Sun machine as > > a multi-homed host with subnetted networks the rip updates are > > incorrect. The routers that we used had no problems at all in > This has nothing to do with the implementation of the routing > socket. It's a fact that Solaris 2.x, x < 6, is unable to handle Ok. Then your information is different than what Sun has to say. The line I quoted was a paraphrase of the documentation that came with their VLSM software. It also coinsided with information that I had received from the Gated consortium. Perhaps I misunderstood. > subnet routes in its kernel routing table, unless they belong to > directly connected networks. The work arround is to use host routes > for all hosts on a remote subnet. (There was a product from Sun > which enabled vlsm in the kernel, however, this does not correct the > deficiencies of RIP). > > The fact that the routers had no problems only indicates that they > were using RIP2 or something better. My network engineers made no mention of using RIP2. > > > dealing with the subnetted networks, therefore while we were able > > to subnet our intranet we had problems with using Sun's as any type > > of router. > If you want your Sun to speak to some routers intelligently (doing > something more intelligent than RIP), you should consider gated. > Funny thing. I *AM* using GateD which is how I found out about all of this. Perhaps you can answer a question for me. With the VLSM software installed routed now propagates the routes correctly. Why doesn't Gated? > Just my 0.02$ > Thanx for your 0.02$. Next time please send large bills. Preferably 100's. :) mj > Andreas Mueller > > ------------------------------------------------------------ > Dr. Andreas Mueller Beratung und Entwicklung > Bubental 53, CH - 8852 Altendorf > Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485 > From owner-firewalls-outgoing Mon May 5 14:06:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13230 for firewalls-outgoing; Mon, 5 May 1997 12:38:42 -0700 (PDT) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13206 for ; Mon, 5 May 1997 12:38:34 -0700 (PDT) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id OAA14756; Mon, 5 May 1997 14:41:26 -0500 Date: Mon, 5 May 1997 14:40:41 -0500 (CDT) From: Ron DuFresne Reply-To: Ron DuFresne To: arager@mcgraw-hill.com cc: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <199705051715.AA17119@interlock.mgh.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997 arager@mcgraw-hill.com wrote: > > > I still find this sort of thread hilarious. Ok, my hand's up for > being the one to find all those dirty sites!:>> Is this what the job > of security administrator has been reduced to.....smut hunter??? Next > we will be searching thru desks for playboys and such...by the > way..hand over those dirty pictures in your wallet! > I've mentioned before, the best way around all this logging and the restricting of URL's for the end user, is to go out to a private account, do all the searching and grabbing there, perhaps then renaming sex1.jpg to something.important, then pulling it back inside. No logs to report the end around, and no admin is the wiser, unless he sees your new found background on your desktop of the orgy scene. I've posted a few times some packages that the k-12 edu sites use for such purposes when this topic has come up, more in an attempt to jestup the folks that think they need to 'guide' and monitor their employees than for anyother reason. It's my guess that a few admins are sorry to have moved out their diskless X stations, and are hopping with glee at the new versions of that old technology that vendors are once again pushing on the masses. Yup, lock down the desktop, and restrict access to the fullest, it costs far too much to actually train and inform users as to proper work methods. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From owner-firewalls-outgoing Mon May 5 14:24:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA17871 for firewalls-outgoing; Mon, 5 May 1997 13:08:01 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA17862 for ; Mon, 5 May 1997 13:07:54 -0700 (PDT) Received: (from jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.8.5/8.8.2) id QAA22993; Mon, 5 May 1997 16:10:09 -0400 (EDT) To: claude.marinier@dreo.dnd.ca (Marinier, Claude) Cc: Firewalls@GreatCircle.COM Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts References: <3.0.1.32.19970505093953.00944100@caen-sp.cps.dreo.dnd.ca> Mime-Version: 1.0 (generated by tm-edit 7.105) Content-Type: text/plain; charset=US-ASCII From: Jeff Murphy Date: 05 May 1997 16:10:08 -0400 In-Reply-To: claude.marinier@dreo.dnd.ca's message of Mon, 05 May 1997 09:39:53 -0400 Message-ID: Lines: 11 X-Mailer: Gnus v5.4.46/XEmacs 20.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk claude.marinier@dreo.dnd.ca (Marinier, Claude) writes: > Are there not DNS systems which take input from DHCP servers > and provide correct answers to queries? yes. one of the features of the new BIND release by paul vixie is dynamic update abilities. this is really useful in the context of DHCP. in fact, the ISC is supposed to have a DHCP client available with the latest BIND code that will perform pushes of hostname/address pairs into DNS dynamically. see also: www.isc.org jeff From owner-firewalls-outgoing Mon May 5 14:53:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA18059 for firewalls-outgoing; Mon, 5 May 1997 13:09:30 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13458 for ; Mon, 5 May 1997 12:40:13 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wOTdA-0004KXC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 21:41:04 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 5 May 97 21:41 MET DST Received: by lina.inka.de id m0wOTal-00016tC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 5 May 1997 21:38:15 +0200 (CEST) Message-Id: Date: Mon, 5 May 1997 21:38:14 +0200 From: Bernd Eckenfels To: Raju Krishnan Cc: firewalls@GreatCircle.COM Subject: Re: Firewall routing problem References: <336D8A4E.794B@porsche.inabbdb.co.in> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <336D8A4E.794B@porsche.inabbdb.co.in>; from Raju Krishnan on Mon, May 05, 1997 at 12:20:46PM +0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > The router can ping the internet and the firewall eth0 and eth1 but > cannot ping across the firewall to internal machines. Besides the info that you dont want to forward ICMP (linux 2.0.30 can do some icmp masquerading if you are realy daring), you should forbid access from external interface (cisco) to internal interface by ip firewalling. Add some rules against IP-Spoofing with ipfwadm. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Mon May 5 15:14:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA08249 for firewalls-outgoing; Mon, 5 May 1997 12:02:11 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA08198 for ; Mon, 5 May 1997 12:01:59 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id MAA07471; Mon, 5 May 1997 12:15:38 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id MAA14369; Mon, 5 May 1997 12:04:05 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id MAA10518; Mon, 5 May 1997 12:03:42 -0700 Date: Mon, 5 May 1997 12:03:42 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705051903.MAA10518@althea.EBay.Sun.COM> To: Jerald.Josephs@Ebay.Sun.COM, postmaster@ram-tnsc-nl1.ramstein.af.mil Subject: RE: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: r68ic2aF2+7LxhOAw+KodQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Murph, You must be running Solaris 1.x (still) NIS is not integrated into DNS, meaning you don't have to configure NIS in order to access DNS with Solaris 2.x DNS in Solaris 2.x is: create /etc/resolv.conf add 'dns' to the hosts line in /etc/nsswitch.conf. I won't go into how to create a DNS server... --- jerald > > BTW - WHY IS NIS INTEGRATED INTO DNS? There are sane people who have no > desire to run NIS, but have a definite need to run DNS - is this SNAFU > to be fixed in future releases? > > murph > > Brian Murphy - PRC > HQ USAFE CSS/SCBT - TNSC > DSN: (314) 480-7005 > mailto:brian.murphy@ramstein.af.mil > "The computer is the computer, the network is the network." > > >---------- > >From: Jerald.Josephs@Ebay.Sun.COM[SMTP:Jerald.Josephs@Ebay.Sun.COM] > >Sent: Monday, May 05, 1997 18:02 > >To: dechon@CS.Stanford.EDU; Eric.Deschamps@France.Sun.COM > >Cc: Jerald.Josephs@Ebay.Sun.COM; firewalls@GreatCircle.COM; > >fw-1-mailinglist@us.checkpoint.com; drexx@pspi.com.ph > >Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts > > > > > >> > >> > > >> > > > 2] How will VLSM make firewalling administration any easier/better ? > >> > > > > >> > > > >> > > No, but it will make it easier to subnet your intranet without > >> > > loosing precious IP addresses to a subnet without enough > >> > > hosts to use all of the addresses. > >> > > >> > ? I don't understand this last sentence. My exposure to VLSM indicates > >> > that it has nothing to do with subnetting your intranet. I ran into > >> > this problem when trying to route with rip. Specifically, Sun's > >> > implementation of the routing socket interface is not the industry > >> > standard. In other words, when you use a Sun machine as a multi-homed > >> > host with subnetted networks the rip updates are incorrect. The routers > >> > that we used had no problems at all in dealing with the subnetted > >> > networks, therefore while we were able to subnet our intranet we had > >> > problems with using Sun's as any type of router. > >> > > >> > mj > >> > >> Marc, > >> > >> It seems that VLSM stands for "variable-length subnet mask", so it looks > >>like > >> it has to do with subnetting your intranet. RIP has no knowledge of subnet > >> addressing, so I am not sure to understand what is the meaning of "Sun's > >> implementation of the routing socket interface is not the industry > >>standard". > >> Which standard is it ? It is a RIP problem, RIP2 adress this problem (and > >> others as well) without any ambiguity. > >> > >> Rgds, > >> > >> Eric > > > >Marc, > > > >I actually began a lengthy detailed response that I failed to get off before > >my mail utility did a no-no and I lost the composition. > > > >VLSM is refers to the same thing as CIDR, Classless Internet Domain Routing. > >For those who may not be familiar with this, CIDR addresses the problem that > >the Internet is seeing with the explosion of Class C addresses all over the > >place. Traditionally, to reach a network, you need a route. With so many > >new networks, you need a robust routing table. > > > >The shortage of Class B addresses have forced companies to subnet their Class > >B > >into Class C. This creates numerous new routing table entries. > > > >CIDR says that if you own 192.168.0.0, then I can assume that 192.168.1.0 > >through 192.168.255.0 are all within your domain, so all I need is a single > >route to 192.168.0.0 to handle all of the subnets. The problem was that the > >earlier versions of routed shipped with Solaris as well as the kernel IP > >routing module, could not handle this. > > > >Variable Length Subnet Masks is what is used to faciliate the implementation > >of CIDR. > > > >That is what the CONSULT-VLSM patch provides: this ability to handle this. > > > > > > > > /\ Jerald E. Josephs > > \\ \ Course Developer - Network Security > > \ \\ / Sun Educational Services > > / \/ / / > >/ / \//\ > >\//\ / / > > / / /\ / > > / \\ \ Phone/VM: 408-276-0941 > > \ \\ FAX: 408-276-1565 > > \/ E-mail: jerald.josephs@EBay.Sun.COM > > > > From owner-firewalls-outgoing Mon May 5 15:55:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA20487 for firewalls-outgoing; Mon, 5 May 1997 13:25:21 -0700 (PDT) Received: from border.com (janus.border.com [199.71.190.98]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA20471 for ; Mon, 5 May 1997 13:25:13 -0700 (PDT) Received: by janus.border.com id <11659>; Mon, 5 May 1997 16:22:34 -0400 Message-Id: <97May5.162234edt.11659@janus.border.com> To: Chris Lonvick cc: Adam Shostack , Sandeep_Talwar@INDIA.notes.pwa.co.in, Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #187 From: "Gene Amdur" Date: Mon, 5 May 1997 16:26:58 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | My own understanding (may be more/less/equally wrong) is that a US | company can purchse any dang thing they want. They can also ship | it around the world as long as they maintain control of it. This | shouldn't fall into the DoC regulations since they're not _exporting_ | it for resale (and it won't fall into the hands of people who may | want to "harm national security and foreign policy interests" (taken | from Clintons' executive order)). | | Sandeep: If Price Waterhouse is a US company, have your US office | contact Checkpoint to see if they (your US office) can buy a pair | of the things (with strong encryption) and ship one to Calcutta. | Please write back to the group and let us know. | | I'm actually just trying to be an | engineer and don't know beans about export control restrictions. Well if you were to follow the above advice you would be guilty of exporting restricted arms from the US. My guess is you really don't want that since the US government can be very nasty about that law. The law states (in a very simplified form) that stong crypto is equivalent to atom bombs (okay it doesn't quite say that :-) but basically that is it). And if you sell one to someone that is not in US or Canada you can go to jail for a long time. And more over, if you give one to someone that is not in US or Canada you can go to jail for a long time. Even if the someone is yourself in a foreign office. You can go to the Department of Commerce (I think) and get special dispensation to ship strong crypto for your foreign offices but you should do that *before* shipping the products. I know this because our product includes strong cryptography and we are forever haggling with the US government over what we can and cannot sell outside of US/Canada. If only someone could make them understand that these algorithms are public knowledge...sigh. Gene Amdur Secure Computing Canada Development Team Leader From owner-firewalls-outgoing Mon May 5 16:03:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA09908 for firewalls-outgoing; Mon, 5 May 1997 15:31:20 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA09850 for ; Mon, 5 May 1997 15:31:07 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id QAA07511; Mon, 5 May 1997 16:33:12 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd07509aaa; Mon May 5 16:33:05 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id QAA17688; Mon, 5 May 1997 16:33:12 -0600 From: Bob Beck Message-Id: <199705052233.QAA17688@snouts.obtuse.com> Subject: Re: Need to restrict http://www.nude.com and such To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Mon, 5 May 1997 16:33:10 -0600 (MDT) Cc: alano@teleport.com, glavach@ctc.com, firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at May 5, 97 12:23:07 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone appearing to be the Rabid Marsupial said: > > Applying professional standards to personal use should be sufficient. > > Simply set up logging capability, and make sure that users are formally > told that such capability exists. Formally define where the "right to > privacy" ends. I would suggest that your policy be to log all site access > and mail traffic, but that policy also dictate that no review of logs be > performed without some "outside" probable cause, documented in an > official memo. > [.... ] > Once again, I am not a lawyer, this is free advice, and you generally get > what you pay for. :) > > -r.w. I've been around when pretty much this actually done at a site. The IS guys told management what the problems would be and at that point it was simple. Once the word got out that IS could track the access to sites if asked, (logs on web proxy and p.f.) it simply wasn't an issue. Could users circumvent it, sure, if they were clued, but for more effort than it took to bring a magazine or a book to work, or in the case of porn, any hardcore CD-rom you can rent at a video store. In the end management's take on it was (once educated by IS) was that it was no different from any other potential workplace distraction, and if anything less than some (like Games on a PC). Was what was done challengable as a violation of privacy in the U.S.? Haven't a clue, I'm in Canada, where the Gestapo is good for you as long as it's pink and fuzzy and only picks on the bad people :-) Was the solution effective with a minimum of user squawking, embarassment, and pain? Yes, and IMNSHO keeps the techincal issues with the techies and the people management issues with the cat herders. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From owner-firewalls-outgoing Mon May 5 16:07:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26001 for firewalls-outgoing; Mon, 5 May 1997 14:04:46 -0700 (PDT) Received: from speedbump.datapark.com (ns1.datapark.com [207.102.240.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA25974 for ; Mon, 5 May 1997 14:04:38 -0700 (PDT) Received: from k2 (k2.datapark.com [207.102.240.32]) by speedbump.datapark.com (8.8.5/8.6.12) with SMTP id OAA01344 for ; Mon, 5 May 1997 14:08:45 -0700 (PDT) Message-ID: <336E4BE5.4F55@datapark.com> Date: Mon, 05 May 1997 14:06:45 -0700 From: Jeff Newton Organization: Tantalus Communications X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall Ruleset Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm about to implement IPFW on BSD for testing purposes and would like to know if anyone has a generic or basic rule set to begin from. I know my network specifics will require rule changes but I would appreciate any help getting started. Cheers, -- Jeff Newton Network Administrator Tantalus Communications Datapark Advanced Communications (604) 664-7454 ----------------- "It's the world, not a call I can screen out"- Headstones From owner-firewalls-outgoing Mon May 5 16:10:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA24381 for firewalls-outgoing; Mon, 5 May 1997 13:51:51 -0700 (PDT) Received: from skye.nis.newscorp.com (skye.nis.newscorp.com [206.15.111.99]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA24325 for ; Mon, 5 May 1997 13:51:36 -0700 (PDT) Received: (from dobrich@localhost) by skye.nis.newscorp.com (8.7.3/8.7.2) id QAA10742; Mon, 5 May 1997 16:54:33 -0400 (EDT) Date: Mon, 5 May 1997 16:54:33 -0400 (EDT) From: Greg Dobrich Message-Id: <199705052054.QAA10742@skye.nis.newscorp.com> To: firewalls@GreatCircle.COM Subject: FW-1 and OSPF Cc: dobrich@newscorp.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, In reading Checkpoint FW1's list of supported applications I came across OSPF. I would assume that it will pass ospf protocol traffic between ospf speakers on either side rather than actually participate in ospf routing. It left me with a bunch of questions on how this could work given how ospf finds neighbors, establishes adjacencies, computes routes/next hop etc. It seems like the firewall would have to do something fairly involved to pull this off successfully. Has anyone tried this or seen documentation? Thanks, Greg ------------------------------------------------------------------------- Greg Dobrich Senior Network Engineer News Internet Services 508 551 1007 Lowell, MA From owner-firewalls-outgoing Mon May 5 16:54:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA28557 for firewalls-outgoing; Mon, 5 May 1997 14:21:27 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA28545 for ; Mon, 5 May 1997 14:21:16 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.4/8.8.4) id OAA26021 for firewalls@greatcircle.com; Mon, 5 May 1997 14:23:20 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199705052123.OAA26021@Xenon.Stanford.EDU> Subject: re: vlsm To: firewalls@greatcircle.com Date: Mon, 5 May 1997 14:23:19 -0700 (PDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've received serveral private emails and I'm thankful of the information that I've received. I think that I have been misunderstood. I don't believe that I said: Rip knows about subnet masks. I said that I see subnets in the RIP update coming from a machine with 3 different subnets on it. In going back and looking at RFC 1058 section 3 as well as talking with 2 network engineers I am convinced that RIP *does* know about subnets. It was explained to me that it *has* to because it is an internal routing protocol. I am *not* saying that route aggregation doesn't occur. But is it correct to say that if route aggregation does occur that subnets can't? To put my statements in a nutshell: On a multihomed host, with the IP configuration of le0: 192.168.100.35 netmask 255.255.255.224 le1: 192.168.100.66 netmask 255.255.255.224 le2: 192.168.100.97 netmask 255.255.255.224 Any packet originating from this machine on port 520 with the destination of the broadcast address and dstport of 520 *WILL* contain information about the other "subnets". All the networking books that I've looked at call this a RIP update. Therefore, 1 of 2 things must be true. a) RIP does know about subnets, but only for special occasions. b) RIP doesn't know about subnets. In which case something is masquerading as a RIP update. Which is it? mj ps. For any who care I can produce these packets at will. From owner-firewalls-outgoing Mon May 5 17:54:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA14703 for firewalls-outgoing; Mon, 5 May 1997 16:03:40 -0700 (PDT) Received: from castles.com (sparc1.castles.com [199.4.103.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA14636 for ; Mon, 5 May 1997 16:03:21 -0700 (PDT) Received: from jmcbrea.castles.com ([205.185.80.10]) by castles.com (5.x/SMI-SVR4/CASTLES) id AA09899; Mon, 5 May 1997 15:59:27 -0700 Message-Id: <2.2.32.19970505230726.00a4bd04@sparc1.castles.com> X-Sender: jmcbrea@sparc1.castles.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 May 1997 16:07:26 -0700 To: firewalls@greatcircle.com From: John McBrearty Subject: Re: CheckPoint vs Others Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had written on 5/2/97: >If you are considering Firewall-1 you should be aware that Checkpoint has >apparently recently instituted a "hard" policy of off-loading all support to >VARs.... OK, in fairness to Checkpoint, I did get a response from my VAR on Friday evening, which contained a detailed approach to the technical issues I had raised by email a couple of days earlier. So the system worked in the end, although it took a while. I also received private email on this issue from Adam Shostack, who asked why I didn't just name the VAR so others could avoid him. As I told Adam, I wanted to give the VAR the benefit of the doubt, in case there were some mitigating circumstance which I didn't know about. But also, as I told Adam, my main concern was with Checkpoint and its hard-line support policy. I realize that Checkpoint needs to support its VARs. But, on the other hand, there is no way that Checkpoint can proactively assure that all its VARs will provide exemplary support all the time. Many other companies (HP, Compaq, Digital, Cisco, etc.) seek to work through VARs but also provide at least some modicum of tech support including answering questions from bona fide customers and providing extensive Web-based documentation and FAQs. I think that Checkpoint's approach to support may hurt itself and its VARS in the long run. John McBrearty Pleasant Hill, CA 94523 510-974-9171 jmcbrearty@usa.net From owner-firewalls-outgoing Mon May 5 18:00:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA16407 for firewalls-outgoing; Mon, 5 May 1997 12:56:29 -0700 (PDT) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA16248 for ; Mon, 5 May 1997 12:55:48 -0700 (PDT) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id PAA02794; Mon, 5 May 1997 15:59:15 -0400 (EDT) Date: Mon, 5 May 1997 15:59:15 -0400 (EDT) From: Ming Lu To: "Marc D. Jackson" cc: Jerald Josephs , firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts In-Reply-To: <199705021453.HAA10734@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 May 1997, Marc D. Jackson wrote: > Jerald Josephs writes: > > > > > > > > > > > Anyway, when Solaris 2.6 comes out soon, I believe it will include DHCP > > > and Variable-Length Subnet Masking (VLSM) support. > > Having just purchased this from Sun and having just spoken with their > rep. I think you may be in error re: VLSM. > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > No, but it will make it easier to subnet your intranet without > > loosing precious IP addresses to a subnet without enough > > hosts to use all of the addresses. > > ? I don't understand this last sentence. My exposure to VLSM indicates > that it has nothing to do with subnetting your intranet. I ran into > this problem when trying to route with rip. Specifically, Sun's Jerald wad right! Rip does not regonize VLSM. > implementation of the routing socket interface is not the industry > standard. In other words, when you use a Sun machine as a multi-homed > host with subnetted networks the rip updates are incorrect. The routers > that we used had no problems at all in dealing with the subnetted > networks, therefore while we were able to subnet our intranet we had > problems with using Sun's as any type of router. > > mj > mlu From owner-firewalls-outgoing Mon May 5 18:01:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21639 for firewalls-outgoing; Mon, 5 May 1997 16:45:25 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA21314 for ; Mon, 5 May 1997 16:44:03 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa00997; 6 May 97 2:40 EETDST Message-ID: <336EFACE.567A@geocities.com> Date: Tue, 06 May 1997 02:33:02 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Ziv Dascalu CC: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such References: <336D7E4B.6390@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Well I think this is the kind of answer we are looking for here!!! Yes you are right about the existance of other sites without any HTML meta included in the web page... here is another one I just found: When I said about the laws regulating such sites I didn't mean including that HTML meta... But they all have to have a warning about explicit sexual activity, violence,etc... This is another thing they have in common... Not only words like drugs, sex, etc. So I think that most of these sites can be blocked... I also agree with what Rabit Wombat said that it is ethical to tell the employees you are monitoring their activity... I think this should be done in any company... Also time sheets are usefull anytime not only for this kind of monitoring... And one more thing... If someone is using company's phone line to call an ISP long distance, for instance, is this ethical? I think privacy is good as long it does not have any efect on company's bills... No problem if they bring anything on disks as long as this does not means wasting company's money... Regards, Gabriel Ziv Dascalu wrote: > > --- On Sun, 04 May 1997 23:29:31 -0700 Gabriel Dura wrote: > > Sorry but all porn sites I personally checked have that meta included in > > their header. Please note that every civilised country in the world have > > regulations about children's access to pornography, violence, etc. I'm > > sure there is an Internet standard on this subject... And all sites that > > are placed in such countries must obey the laws... > > > > Other such sites have other meta like this one for instance: > > > pronography that don't have any kind of warning in their HTML source and > > I'll believe you... If you say that most of these web sites don't have > > it I'm sure you can give me a lot of examples... > > > > And yes if your boss wants to restrict access to all personell to porn > > sites and prevent all people from abusing the net then it is necesary to > > do it. You don't need a list of the porn sites to do this... This is > > just a waste of money... > > > > here are some: > > > > > > > > > > > > > > > the point is that I do not know of any written law that says that they should use > these types of META tags. > there are sites that can be blocked this way and I have found that one of the ways > list providers update their list is by doing a search like this but there are many > sites that do not match this META tag. > > Monitoring is needed, but monitoring can give you TOO mach information. this is exactly why > you need to define what exactly you want to monitor. > you can say that you want to log all WWW access but it is better to log only > the text ones and not the binaries (like gif etc.) > it is also important to log / monitor / block by specific keywords that exist in the text > like drugs, sex etc. (if you want to do so) > > /Ziv Dascalu > From owner-firewalls-outgoing Mon May 5 18:24:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA26099 for firewalls-outgoing; Mon, 5 May 1997 17:09:14 -0700 (PDT) Received: from sf-ptg-ss.pactel.com (sf-ptg-ss.pactel.com [198.95.241.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA22254 for ; Mon, 5 May 1997 16:48:26 -0700 (PDT) Received: (from smap@localhost) by sf-ptg-ss.pactel.com (8.6.10/8.6.10) id QAA18998; Mon, 5 May 1997 16:49:58 -0700 Received: from mmosko.pactel.com(198.95.241.155) by sf-ptg-ss via smap (V1.3) id sma018994; Mon May 5 16:49:50 1997 Message-ID: <336E7325.B14CADEA@tear.com> Date: Mon, 05 May 1997 16:54:13 -0700 From: Marc Mosko Organization: Forte Systems X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: "Marc D. Jackson" CC: Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts X-Priority: 3 (Normal) References: <199705051842.LAA09206@Xenon.Stanford.EDU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc D. Jackson wrote: > > Eric Deschamps writes: > > > > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > > loosing precious IP addresses to a subnet without enough > > > > hosts to use all of the addresses. > > > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > > that it has nothing to do with subnetting your intranet. I ran into > > > this problem when trying to route with rip. Specifically, Sun's > > > implementation of the routing socket interface is not the industry > > > standard. In other words, when you use a Sun machine as a multi-homed > > > host with subnetted networks the rip updates are incorrect. The routers > > > that we used had no problems at all in dealing with the subnetted > > > networks, therefore while we were able to subnet our intranet we had > > > problems with using Sun's as any type of router. > > > > > > mj > > > > Marc, > > > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > > it has to do with subnetting your intranet. RIP has no knowledge of subnet > > Perhaps this is a problem with terminology. On one machine if I have > > 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask > 255.255.255.224 the rip updates from the machine contain information > about the various subnets. This would indicate to me that "RIP" *does* > understand subnetting. Are you saying that the packets on port 520 are > *not* RIP updates? > > mj *Hosts* running RIP understand static subnet masks (/etc/netmasks), but not variable masks. EIGRP (cisco) and OSPF are the best candidates for an internal gateway protocol that support VLSM. I work with a client who has 5 class Cs subnetted with anything from 224 to 252 subnet masks, intermixed in the same class Cs. About the only downside is a bigger routing table if you have the subnets spread out accross your internetwork since you cannot do summary routes (at least easily...). These subnets have very high utilization, usually over 80%. In respect to a firewall, you can run gated instead of routed. HP/UX and IRIX both ship w/ gated (as do others). Sun still only ships routed. Gated will do OSPF. Firewall-1, for instance, can be configured to allow OSPF through to the kernel. -- Marc Mosko Email: marc@tear.com Web: http://www.tear.com/ "If anyone runs against or falls on a person's weapons so that as as result he dies, and it is evident that it is the fault of himself alone, then the responsibility shall lie there." -- Leges Henrici Primi (13th century) PGP Key available via Public Servers and http://www.tear.com/pgp-key.html From owner-firewalls-outgoing Mon May 5 19:24:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA21812 for firewalls-outgoing; Mon, 5 May 1997 19:15:33 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA21518 for ; Mon, 5 May 1997 19:14:19 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id SAA08001 for ; Mon, 5 May 1997 18:49:09 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0wOZLX-0004KqC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 6 May 1997 03:47:15 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 6 May 97 03:47 MET DST Received: by lina.inka.de id m0wOYQm-00016tC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 6 May 1997 02:48:16 +0200 (CEST) Message-Id: Date: Tue, 6 May 1997 02:48:16 +0200 From: Bernd Eckenfels To: "Marc D. Jackson" Cc: firewalls@greatcircle.com Subject: Re: vlsm References: <199705052123.OAA26021@Xenon.Stanford.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199705052123.OAA26021@Xenon.Stanford.EDU>; from Marc D. Jackson on Mon, May 05, 1997 at 02:23:19PM -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > a) RIP does know about subnets, but only for special occasions. The Problem with RIP is, if you Mix Subnet Masks like this: 10.0.1.0/24 local eth0 10.0.2.0/24 gw 10.0.1.1 10.1.0.0/16 gw 10.0.1.1 193.197.84.0/24 local eth1 default/0 gw 193.197.84.254 ... Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Mon May 5 19:40:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21670 for firewalls-outgoing; Mon, 5 May 1997 16:45:31 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA21392 for ; Mon, 5 May 1997 16:44:21 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id QAA05241 for ; Mon, 5 May 1997 16:44:26 -0700 (PDT) Received: from aaron.citadel.com.au (ppp-syd-224.ca.com.au [203.23.80.224]) by pluto (8.7.6/8.7.3) with SMTP id JAA05130 for ; Tue, 6 May 1997 09:40:59 +1000 Message-Id: <3.0.1.32.19970506093837.007cc290@pluto.citadel.com.au> X-Sender: aaron@pluto.citadel.com.au X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 06 May 1997 09:38:37 +1000 To: Firewalls@GreatCircle.COM From: Aaron Everingham Subject: Load Sharing Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe someone can help.... I have 20+ ISDN lines coming into 6 or so routers. I want to connect them to a Cisco Catalyst switch with two Network interfaces on the inside. Each NI will connect to a Cisco Router which in turn connect to Gauntlet Internet Firewalls (BSDI). The DMZ NI of each firewall then connects to a hub which connects devices (Solaris servers) in the DMZ. The Gauntlets also then connect t o another Cisco and then onto the LAN. Here are my questions... 1. Does anyone know how I could do load sharing between the two paths of the firewall? 2. If not, is there a way to make one of the paths redundant? I have thought of using RIP or something similar but wouldlike to know if anyone has a better idea? Citadel Security Management Systems Aaron Everingham - Northern Regions Manager aaron@citadel.com.au Ph: +61 02 9211 8700 Fax: +61 02 9211 8701 Suite 1, 330 Wattle Street Ultimo NSW 2007 Australia 'It's all about being digital' - Negroponte From owner-firewalls-outgoing Mon May 5 19:40:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21002 for firewalls-outgoing; Mon, 5 May 1997 16:41:48 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA20981 for ; Mon, 5 May 1997 16:41:36 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa00992; 6 May 97 2:40 EETDST Message-ID: <336EF58F.1842@geocities.com> Date: Tue, 06 May 1997 02:10:39 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: "Eric V. Smith" CC: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such References: <01BC58B0.DF0052C0@carew.windsor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric, I personally tested the Content Advisor from MS Internet Explorer 3.0 for Windows 95 with a lot of sites not suitable for children... Mostly of them were porn sites... And I can swear that nothing happens when you access it... The content advisor seems to be just a nice thing with some buttons, a few windows, a supervisor password you can assign and that's all... I never seen it working... Maybe other people did but I didn't... It is not the first time when Microsoft does this... I also saw a printer driver included in Windows 95 instalation CD-ROM... I not sure but I think it was for a HP laser printer... The same thing: lots of wonderfull buttons, windows, adjustements for printer, etc. but no effect in real life... I think that's my story... If you have any further questions on this I'll try to answer you... Regards, Gabriel Eric V. Smith wrote: > > > Gabriel Dura said: > > < about restricting access to sites based on content > > > > The MS Internet Explorer have such an option about restricting the > > access to violence and pornography... Too bad they have so many security > > bugs... It could have been succesfully used in this case... The idea is > > good but the implementation is bad... > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > Eric. From owner-firewalls-outgoing Mon May 5 19:41:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA28419 for firewalls-outgoing; Mon, 5 May 1997 17:20:29 -0700 (PDT) Received: from internet.kexin.co.kr (internet.kexin.co.kr [210.126.192.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA28350 for ; Mon, 5 May 1997 17:20:12 -0700 (PDT) Received: from jjlee.cloud (kexin.kexin.co.kr [210.126.192.66]) by internet.kexin.co.kr (8.8.5/8.8.4) with ESMTP id JAA20031 for ; Tue, 6 May 1997 09:17:46 +0900 (KST) Message-ID: <336E79E4.68FBB4AB@internet.kexin.co.kr> Date: Tue, 06 May 1997 09:23:00 +0900 From: Jungjun Lee Reply-To: cloud@kexin.co.kr Organization: kexin X-Mailer: Mozilla 4.0b3 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: How can I configure to save duplicate smap messages? X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi.. How can I configure to save duplicate smap messages ? Is there anyone use this configuration ? I use TIS Gauntlet 3.2.. From owner-firewalls-outgoing Mon May 5 19:42:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA12217 for firewalls-outgoing; Mon, 5 May 1997 18:28:29 -0700 (PDT) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA12188 for ; Mon, 5 May 1997 18:28:05 -0700 (PDT) Received: from demo.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 06 May 1997 11:20:42 +1000 Received: by demo.networx.com.au with Microsoft Mail id <01BC5A0F.7F627720@demo.networx.com.au>; Tue, 6 May 1997 11:20:26 +1000 Message-ID: <01BC5A0F.7F627720@demo.networx.com.au> From: "Mr. Leon OBrien" To: "'dura@geocities.com'" , "Eric V. Smith" Cc: "firewalls@greatcircle.com" Subject: RE: Need to restrict http://www.nude.com and such Date: Tue, 6 May 1997 11:20:04 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Microsoft Content Advisor only works with sites that have a registered Content ID applied to the HTML. Sorry for the lack of facts and links to references but for the content advisor to work properly the HTMLer needs to submit their Webpage to a Content Advisory Commity and they determine what rating it is given. Currently i haven't found 1 site that supports it, but that doesn't mean that this is a feature of Microsofts IE product that just doesn't work....When HTML designers are made to provide a content rating on their pages then the feature probably will work, hopefully :-) Leon -----Original Message----- From: Gabriel Dura [SMTP:dura@geocities.com] Sent: Tuesday, 6 May 1997 19:11 To: Eric V. Smith Cc: firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such Eric, I personally tested the Content Advisor from MS Internet Explorer 3.0 for Windows 95 with a lot of sites not suitable for children... Mostly of them were porn sites... And I can swear that nothing happens when you access it... The content advisor seems to be just a nice thing with some buttons, a few windows, a supervisor password you can assign and that's all... I never seen it working... Maybe other people did but I didn't... It is not the first time when Microsoft does this... I also saw a printer driver included in Windows 95 instalation CD-ROM... I not sure but I think it was for a HP laser printer... The same thing: lots of wonderfull buttons, windows, adjustements for printer, etc. but no effect in real life... I think that's my story... If you have any further questions on this I'll try to answer you... Regards, Gabriel Eric V. Smith wrote: > > > Gabriel Dura said: > > < about restricting access to sites based on content > > > > The MS Internet Explorer have such an option about restricting the > > access to violence and pornography... Too bad they have so many security > > bugs... It could have been succesfully used in this case... The idea is > > good but the implementation is bad... > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > Eric. From owner-firewalls-outgoing Mon May 5 20:54:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA01621 for firewalls-outgoing; Mon, 5 May 1997 20:52:54 -0700 (PDT) Received: from meretrix.com (dirty.meretrix.com [207.42.198.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA01556 for ; Mon, 5 May 1997 20:52:40 -0700 (PDT) Received: from kiri.meretrix.com (kiri.meretrix.com [207.42.198.18]) by meretrix.com (8.8.5/8.7.3) with ESMTP id XAA02651; Mon, 5 May 1997 23:27:04 -0400 (EDT) Received: from kiri.meretrix.com (localhost.meretrix.com [127.0.0.1]) by kiri.meretrix.com (8.8.5/8.8.4) with ESMTP id XAA00479; Mon, 5 May 1997 23:27:02 -0400 (EDT) Message-Id: <199705060327.XAA00479@kiri.meretrix.com> To: "Marc D. Jackson" cc: firewalls@GreatCircle.COM Subject: Re: vlsm In-reply-to: Your message of "Mon, 05 May 1997 14:23:19 PDT." <199705052123.OAA26021@Xenon.Stanford.EDU> Date: Mon, 05 May 1997 23:27:02 -0400 From: Harry Mantakos Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >... Therefore, 1 of 2 things must be true. > >a) RIP does know about subnets, but only for special occasions. >b) RIP doesn't know about subnets. In which case something is >masquerading as a RIP update. > >Which is it? A router running RIPv1 can certainly advertise subnets. The problem is that RIPv1 packets contain only a 32 bit network address without subnet mask information. When a RIPv1 packet contains a network address that looks like a subnet (it has bits set in the "host" portion of the classful address), about the only thing the recipient can do to determine the subnet mask is to see if it has an interface on that same network (where network means classful A, B, or C network) and assume that any addresses it sees in that network share the network mask that it has for its own interface on that network (i.e. it assumes that the network uses the same subnet mask for all subnets, that it is not using VLSM). RIPv2 passes around masks with every network address, so VLSM isn't a problem. -harry ----------------------------------------------------------------------------- Human: Harry Mantakos USPS: 547 E. Gittings St. Baltimore, MD 21230 Email: harry@meretrix.com Evil Twins: harry@torrentnet.com, harry@cs.umd.edu From owner-firewalls-outgoing Mon May 5 21:09:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA00921 for firewalls-outgoing; Mon, 5 May 1997 20:48:36 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA00914 for ; Mon, 5 May 1997 20:48:30 -0700 (PDT) Received: from clonvick-pc.cisco.com (sj-dial-3-36.cisco.com [171.68.179.37]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA16059; Mon, 5 May 1997 20:10:46 -0700 (PDT) Message-Id: <2.2.32.19970506030718.006e4880@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 May 1997 22:07:18 -0500 To: "Gene Amdur" From: Chris Lonvick Subject: Re: Firewalls-Digest V6 #187 Cc: Sandeep_Talwar@INDIA.notes.pwa.co.in, Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Gene, I've had some private converstations and was pointed to some online references that say that _any_ shipment of strong encryption must comply with the DoC regulations. (That was some interesting reading.) My original misconceptions are now corrected. Thanks. I still think, however, that Sandeep should contact Checkpoint to see if they can help his company get the export license (or whatever they may need) to export a firewall to their Calcutta office. Of course, as you say, "before they buy". Your analogy to an atom bomb brings up an interesting point. Do you suppose that the various governments which also prohibit the export of nuclear material (like crypto) have export permits for each bomb? I suppose that they would technically fall under the terms of "export" if they were to shoot one off. Hmmm.. could this be a new way of preventing wars? I do know that the US Government does understand that these algorithms are publically available. I found that in the online version of the EAR at http://bxa.fedworld.gov/ in Part 732.2. Many thanks to the people I had private converstations with who pointed me towards pages like these. I now have a much better understanding of what the EAR defines as an "export". Thanks, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 04:26 PM 5/5/97 -0400, Gene Amdur wrote: > | My own understanding (may be more/less/equally wrong) is that a US > | company can purchse any dang thing they want. They can also ship > | it around the world as long as they maintain control of it. This > | shouldn't fall into the DoC regulations since they're not _exporting_ > | it for resale (and it won't fall into the hands of people who may > | want to "harm national security and foreign policy interests" (taken > | from Clintons' executive order)). > | > | Sandeep: If Price Waterhouse is a US company, have your US office > | contact Checkpoint to see if they (your US office) can buy a pair > | of the things (with strong encryption) and ship one to Calcutta. > | Please write back to the group and let us know. > | > | I'm actually just trying to be an > | engineer and don't know beans about export control restrictions. > >Well if you were to follow the above advice you would be guilty of exporting >restricted arms from the US. My guess is you really don't want that since >the US government can be very nasty about that law. > >The law states (in a very simplified form) that stong crypto is equivalent to >atom bombs (okay it doesn't quite say that :-) but basically that is it). And >if you sell one to someone that is not in US or Canada you can go to jail for >a long time. And more over, if you give one to someone that is not in US or >Canada you can go to jail for a long time. Even if the someone is yourself in >a foreign office. > >You can go to the Department of Commerce (I think) and get special >dispensation to ship strong crypto for your foreign offices but you should do >that *before* shipping the products. > >I know this because our product includes strong cryptography and we are >forever haggling with the US government over what we can and cannot sell >outside of US/Canada. > >If only someone could make them understand that these algorithms are public >knowledge...sigh. > >Gene Amdur >Secure Computing Canada >Development Team Leader > > From owner-firewalls-outgoing Mon May 5 21:48:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA05563 for firewalls-outgoing; Mon, 5 May 1997 21:26:16 -0700 (PDT) Received: from kim.teleport.com (kim.teleport.com [192.108.254.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA05529 for ; Mon, 5 May 1997 21:25:53 -0700 (PDT) Received: from kluge (ip-pdx36-45.teleport.com [206.163.127.172]) by kim.teleport.com (8.8.5/8.7.3) with SMTP id VAA01252; Mon, 5 May 1997 21:27:44 -0700 (PDT) Message-Id: <3.0.1.32.19970505201404.00a77140@mail.teleport.com> X-Sender: alano@mail.teleport.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 05 May 1997 20:14:04 -0700 To: Rabid Wombat From: Alan Olsen Subject: Re: Need to restrict http://www.nude.com and such Cc: Alan , Dominick Glavach , firewalls@GreatCircle.COM In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 12:23 PM 5/5/97 -0400, Rabid Wombat wrote: > > >On Fri, 2 May 1997, Alan wrote: > >> On Fri, 2 May 1997, Dominick Glavach wrote: >> >> > I know this is slightly off topic but I have need some advise or some products >> > that will restrict http access to sites such as www.porn.com. Aside from >> > building an exhaustive list on my proxy what else can I do. Thanks for the >> > help. >> >> Try finding the wire leading from your firewall out to the Internet. Take >> a large pair of wire cutters and cut that wire. (Be careful not to >> confuse the power cord with this wire.) >> >> Filters are semi-useful at best. Since any of these filters can be >> bypassed by web proxies, you will only filter out the more clueless of >> your userbase. (Middle managers and sales people and the like.) You are >> better off either cutting off access to the net to all (or most) of your >> users or deal with problems as they occur. >> >> >> I have seen actions like this taken before. Someone in management gets a >> hair up their ass about "people for surfing for porn at work", and instead >> of doing something that would require real hands on involvement, make a >> request that puts the burden on another department. This sort of >> management has all sorts of ramifications that are never taken into >> account. It shows that management does not trust them. It makes the >> lives of those who do need to use the net more difficult. (Especially >> since many of these filters are overbroad and restrict legit sites.) It >> also breeds contempt for both management and IS. All in all, not the best >> situation. >> >> >> If you are really wanting to deal with the "problem", I suggest using a >> log on your web proxy and then deal with people who abuse the situation. >> Filtering will cause more hastles than they will solve. >> >> > >I agree with Alan; I also think that when you start censoring traffic, >you are, essentially, becoming a content providor, and *might* find a >different set of rules applied to your organization for outbound content >originating at your site. This is a Bad Thing(tm). I am not a lawyer, but I >suggest you check with one in regard to this. I do not do any filtering on the firewall I manage. I suggested it as _A_ solution, not as something I would use myself. Personally I find the idea that employers need to monitor their employees every waking moment repugnant. >I recommend that your organization formally notify its users that >professional standards apply to the use of corporate computer equipment >and network connections, just as they do to the use of corporate >telephones, fax machines, and other resources. Detailing this in a memo, >as well as in the next revision of the employee handbook is a good way to >handle this. > >Most companies allow limited personal use of company resources without >explicit limits; the computer equipment/network need not be different. If >your company lets you call and make an appointment with your doctor, >check up on child care, etc. from work, you probably fall into this >category. Most people can see the difference between this and calling >Uncle Bob in Katmandu for three hours a day on the company dime. > >Applying professional standards to personal use should be sufficient. > >Simply set up logging capability, and make sure that users are formally >told that such capability exists. Formally define where the "right to >privacy" ends. I would suggest that your policy be to log all site access >and mail traffic, but that policy also dictate that no review of logs be >performed without some "outside" probable cause, documented in an >official memo. I have an easier solution for most of them. I just don't tell them the number of the internal DNS server. If they want access bad enough to get that info (and/or learn how to use it), then they can do whatever. (But there are few users there who even know how to spell DNS, let alone what it is used for...) >For example; your postmaster receives email requesting information >regarding harassing email that appears to be originating from an address >at your site. The MIS director issues a memo to a member of the IS staff >to review the mail logs specifically to determine if such activity is >taking place. Or: A worker complains that the person in the next cubicle >frequently views offensive material on their PC; that person's supervisor >sends a memo to MIS asking that the logs be reviewed to determine if such >actions are taking place. > >This protects your organization from violating an employees "reasonable >expectation of privacy", as long as the guidelines for use of equipment, >logging capability, and review of such logs have been spelled out. There are no such expectations because I have told them that it is not private. (I have told them if they need that level of privacy, I will be glad to show them how to use PGP.) >I've also found that formally publishing such a policy is usually a >significant deterent, as most of your "violaters" will stop if they know >that their use patterns are being logged somewhere. I am lucky in that I do not have those problems. I few people know enough of what they can do to become a problem. Those who do have the knowledge know what I could do to stop any difficulty from becoming a "problem". >Be alert for people who try to "burn" a co-worker by accessing "banned" >sites from that user's station, and then geting someone to log a >complaint; I've seen incidents like this as well. Best to set up policy >that protects the company's interests, deters most casual abuse, etc., >without turning MIS into the Info-Gestapo. Since there are no "banned" sites, there is not a problem with this. (Of course, the upper corporate offices may have a policy on this, but what they don't know won't hurt me...) >Note, before starting a flame war / debate: >I'm against censorship, in general, and think that people should be able >to read/publish what they like. I don't think that their employer should >be obligated to provide them the printing press, or pay them to indulge >in their personal pursuits on company time. Home access is cheap. Read/write >all you want from there. That is (almost) exactly what I tell my users. Most of them have little time to goof off anyways. None of it is ever done on the net. (It is done by adhearing to various management fads and other such time wasters.) -----BEGIN PGP SIGNATURE----- Version: 4.5 iQEVAwUBM26h7+QCP3v30CeZAQGY5Qf8C/WNUo3Ju88qvcUv76ffZ9genxNbS4s0 H2w71DWOsqsDxORq1f8rjBZeJhq4Q0TYZszTuYymxp5rGhwu3fvw2aGK7hFDytCQ 9t3ycFSF94PUJ9zqN2c86W5PwV2292IeeL7+rRFiPE4A2zrd9Z1p5fJf2CyFcbY7 RpqqQ5a7GKNxsqL50Mr2jEXXVRqVbJMVMvrRhFtbL3iXjsYYU/QPHdW/ssiVB/cE +cVfJdFwHYoBl2Wbu1MhyZCj0hP9dgZir3V5yTY2/6S9HHhxHJUnWMPOXsOx0NLV p2ALfLVQOvjPKczioMYWP/7MYb1rRC6Rew5RTrHL9uFAA5xSyEw/hw== =rwQ0 -----END PGP SIGNATURE----- --- | "Mi Tio es infermo, pero la carretera es verde!" | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.ctrl-alt-del.com/~alan/ |alan@ctrl-alt-del.com| From owner-firewalls-outgoing Mon May 5 22:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA08590 for firewalls-outgoing; Mon, 5 May 1997 22:07:42 -0700 (PDT) Received: from mailrelay.tiac.net ([199.0.65.237]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA08582 for ; Mon, 5 May 1997 22:07:37 -0700 (PDT) Received: from wotan.icenetsys.com ([206.119.11.248]) by mailrelay.tiac.net (8.8.5/) with SMTP id BAA18351 for ; Tue, 6 May 1997 01:10:35 -0400 (EDT) Message-Id: <2.2.32.19970506061313.0194092c@pop.tiac.net> X-Sender: rhill@pop.tiac.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 02:13:13 -0400 To: firewalls@GreatCircle.COM From: "Richard A. Hill" Subject: Re: Need to restrict http://www.nude.com and such Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I'll add my two cents worth in brief. Unless you are experiencing complaints of email-harrassment, or you have incidents of "offensive" material being displayed to persons who do now wish to see it, It is ALWAYS going to cost more in time and energy to play facist, than you will save. I have a personal dislike for any kind of censorship that is not specifically aimed at curbing harrassment. I feel that if your employees, co-workers, or whatever are being productive and doing their jobs at expected (or better) levels, then you are getting what you pay them for. Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. (or Mama ..) Over the last year, I watched a harassment accusation at a former employer's almost blow up into an expensive court case, but for some common sense from a judge: "You say he has offensive materials on the walls of his office?" "yes" "Do you work in his office ?" "no" "Can you see this material from outside the office ?" "no" "Do you ever have to go into his office as part of your job, or has he ever asked you into his office ?" "no" "Well then; I think I have the solution. Don't go into his office" "But I don't think he should have those pictures on the walls" "And I don't think this case belongs in court, but we can't get all we want, now can we." {Above is very close to actual dialogue" By all means, set up logging and tracking procedures to be used if a harassment or similar complaint is brought, as well as evidencing a policy of not tolerating sexual bullies, but stay out of other peoples lives as much as possible. As has already been said, if you are editing content, you risk being held responsible for what you let through, as much as what you do not. I know this goes against our growing "Big-Brother" syndrome of protecting people against themselves, but I'll always choose freedom over order Richard From owner-firewalls-outgoing Mon May 5 23:09:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA17729 for firewalls-outgoing; Mon, 5 May 1997 23:06:41 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA17701 for ; Mon, 5 May 1997 23:06:32 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA31614; Tue, 6 May 1997 09:07:02 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862931400; Tue, 06 May 97 08:06:00 GMT Date: Tue, 06 May 97 08:06:00 GMT Message-Id: <9704068629.AA862931400@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #201 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #201 Sent: 5/6/97 12:10:00 PM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 23:25:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA18528 for firewalls-outgoing; Mon, 5 May 1997 23:10:59 -0700 (PDT) Received: from repsolf.repsol.es (repsolf.repsol.es [194.196.84.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA18426 for ; Mon, 5 May 1997 23:10:31 -0700 (PDT) From: Microsoft_Exchange_Connector_for_Lotus_cc:Mail_at_SPAMADALVAHB3@GTWIBM2.repsol.es Received: from [91.1.4.15] by repsolf.repsol.es (AIX 4.1/UCB 5.64/1.00) id AA78216; Tue, 6 May 1997 09:11:01 +0200 Received: from cc:Mail by GTWIBM2.repsol.es id AA862931640; Tue, 06 May 97 08:07:00 GMT Date: Tue, 06 May 97 08:07:00 GMT Message-Id: <9704068629.AA862931640@GTWIBM2.repsol.es> To: Firewalls@GreatCircle.COM Subject: Undeliverable: Firewalls-Digest V6 #202 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your message was not delivered to all recipients. Subject: Firewalls-Digest V6 #202 Sent: 5/6/97 7:56:00 AM The following email address(es) were unknown: BETRAN FERNANDEZ JOSE at PYDESTEC_50 From owner-firewalls-outgoing Mon May 5 23:39:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19220 for firewalls-outgoing; Mon, 5 May 1997 23:14:36 -0700 (PDT) Received: from office.lemon.net (office.lemon.net [194.159.1.30]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA19208 for ; Mon, 5 May 1997 23:14:27 -0700 (PDT) Received: from samsara (samsara.lemon.net [194.159.1.32]) by office.lemon.net (8.7.4/8.7.3) with ESMTP id HAA10504; Tue, 6 May 1997 07:16:35 +0100 (BST) Message-ID: <336EDDD8.89F98802@lemon.net> Date: Tue, 06 May 1997 07:29:29 +0000 From: "Gregory R. Block" Organization: Lemon Internet, Unltd. X-Mailer: Mozilla 4.0b4 [en] (WinNT; I) MIME-Version: 1.0 To: MSITMI02.XZ46G8@eds.com CC: Firewalls@GreatCircle.com Subject: Re: Need to restrict http://www.nude.com X-Priority: 3 (Normal) References: <0095000011433556000002*@MHS> Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MSITMI02.XZ46G8@eds.com wrote: > Anyone ever realised what a great denial of service attack it is to > get > your competitor onto one of the automated lists of restricted URLs? It > > could hang around and get propagated for months, years. Yes; there's a lot of discussion on the fight-censorship list regarding this and other related topics. Blacklisting, in the way that CyberSitter blacklists, is dangerous, plain and simple. > This has happened. I downloaded a list a while back that denied access > to > the whole domain of demon.co.uk. For those who don't know it is not a > satanic objects mail-order or game company but a large UK ISP offering > > mail and web services to thousands of people. Note: I was previously affiliated with Demon as their Security Administrator. Yeah, all of d.c.u was blacklisted, because they felt that we didn't respond to pornography properly. Our policy was that we would remove clearly illegal content, through the Internet Watch Foundation, but that we, ourselves, did not make moral judgements about the content of our web and news servers because it wasn't our place to do so. Because the porn sites weren't immediately removed, we were blacklisted. I don't believe Demon would have done what they did any differently; I hope they continue to follow that path, even if it isn't the one of least resistance. Cheers, Greg From owner-firewalls-outgoing Tue May 6 00:10:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA26157 for firewalls-outgoing; Mon, 5 May 1997 23:52:01 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA26011 for ; Mon, 5 May 1997 23:51:25 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA01689 for ; Tue, 6 May 1997 08:53:27 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA08008 for ; Tue, 6 May 1997 08:53:26 +0200 (MET DST) Date: Tue, 6 May 1997 08:53:26 +0200 (MET DST) From: David Alayeto Salvador To: firewalls@GreatCircle.COM Subject: Config Files Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to see some examples of some of the configuration files needed to set up a firewall properly. I'm in the doubt of believing a firewall is just a way to name a set of components which work together to provide security to a site. Please explain to me the real meaning of the term "firewall". Is it based on software or hardware? Thanks in advance ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Tue May 6 00:24:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA24622 for firewalls-outgoing; Mon, 5 May 1997 23:44:30 -0700 (PDT) Received: from hp00086.ina.de (hp00086.ina.de [159.51.6.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA24516 for ; Mon, 5 May 1997 23:44:05 -0700 (PDT) Received: from hp00002.koi.ina.de (hp00002.ina.de) by hp00086.ina.de with ESMTP (1.37.109.18/INA-1.0-SER) id AA100821035; Tue, 6 May 1997 08:43:56 +0200 Received: from pc00874.ina.de by koi.ina.de with SMTP (1.37.109.24/INA-1.0) id AA284001485; Tue, 6 May 1997 08:51:25 +0200 Received: by pc00874.ina.de with Microsoft Mail id <01BC59F9.D98D34D0@pc00874.ina.de>; Tue, 6 May 1997 08:45:29 +0200 Message-Id: <01BC59F9.D98D34D0@pc00874.ina.de> From: Basil McCrea To: "'firewalls@greatcircle.com'" Subject: Checkpoint's Firewall-1 3.0 Date: Tue, 6 May 1997 08:45:27 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We just upgraded from FW-1 2.1 to 3.0 and we are having some problems = with the included proxies in particular "asmptd" and "aftpd". The asmptd doesn't seem to want to talk to mail servers which want to = speak ESMTP the connection is dropped as soon as the remote (or local) server = answers with "ESMTP spoken here" After running for a while (a couples of hours to a couple of days) the = ftp proxy starts causing problems. Connections are dropped during file = transfers, the ftp GET command just returns Current working directory is: but = doesn't get the file and ftp's from a Web Browser sometimes return errors from the proxy = about "Ilegal response from server". The illegal response seems to be referring to the = greeting from the ftp server. If the proxy if removed everything works fine except = that we can't=20 Has anyone had similiar experiences? We have passed this on to our VAR = and have been waiting almost 3 weeks without any constructive suggestions. Also, the release notes say that the included Virus-Scanner from = Cheyenne cannot (doesn't) scan .zip files or email attachments, can anyone comfirm this? What good = is a virus scanner that doesn't scan such files?=20 TIA Basil McCrea INA Schaeffler KG 91074 Herzogenaurach Germany From owner-firewalls-outgoing Tue May 6 00:41:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22828 for firewalls-outgoing; Mon, 5 May 1997 23:35:10 -0700 (PDT) Received: from mail.securities.com (market.securities.com [207.239.52.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA22709 for ; Mon, 5 May 1997 23:34:47 -0700 (PDT) Received: by mail.securities.com (Smail3.2.0.91 #1) id m0wObiV-000QY3C; Tue, 6 May 1997 00:19:07 -0400 (EDT) Date: Tue, 6 May 1997 00:19:07 -0400 (EDT) From: Sameer Anja To: Gabriel Dura cc: "Eric V. Smith" , firewalls@greatcircle.com Subject: Re: Need to restrict http://www.nude.com and such In-Reply-To: <336EF58F.1842@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Organization: Internet Securities, Inc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try Explorer 3.1, they would have fixed it in this version.Don't remember, but I think they have done it. -sam On Tue, 6 May 1997, Gabriel Dura wrote: > Date: Tue, 06 May 1997 02:10:39 -0700 > From: Gabriel Dura > To: "Eric V. Smith" > Cc: firewalls@greatcircle.com > Subject: Re: Need to restrict http://www.nude.com and such > > Eric, > > I personally tested the Content Advisor from MS Internet Explorer 3.0 > for Windows 95 with a lot of sites not suitable for children... Mostly > of them were porn sites... And I can swear that nothing happens when you > access it... The content advisor seems to be just a nice thing with some > buttons, a few windows, a supervisor password you can assign and that's > all... I never seen it working... Maybe other people did but I didn't... > > It is not the first time when Microsoft does this... I also saw a > printer driver included in Windows 95 instalation CD-ROM... I not sure > but I think it was for a HP laser printer... The same thing: lots of > wonderfull buttons, windows, adjustements for printer, etc. but no > effect in real life... > > I think that's my story... If you have any further questions on this > I'll try to answer you... > > Regards, > Gabriel > > > Eric V. Smith wrote: > > > > > > Gabriel Dura said: > > > > < about restricting access to sites based on content > > > > > > The MS Internet Explorer have such an option about restricting the > > > access to violence and pornography... Too bad they have so many security > > > bugs... It could have been succesfully used in this case... The idea is > > > good but the implementation is bad... > > > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > > > Eric. > > > From owner-firewalls-outgoing Tue May 6 02:09:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA15232 for firewalls-outgoing; Tue, 6 May 1997 02:05:50 -0700 (PDT) Received: from internic.uob.bh ([193.188.12.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA15215 for ; Tue, 6 May 1997 02:05:35 -0700 (PDT) Received: from hisham.uob.bh ([193.188.12.229]) by internic.uob.bh (Netscape Mail Server v2.0) with SMTP id AAA1336 for ; Tue, 6 May 1997 12:11:18 +0300 Message-ID: <336EF4AB.3122@admin.uob.bh> Date: Tue, 06 May 1997 12:06:51 +0300 From: Hisham Al Saad Reply-To: hisham@lords.com Organization: UOB X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Proxy admin error Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have installed a Netscape Proxy server 2.5 on NT/4.0. It worked fine, but the only problem is that when adminestring it remotly via web client, it cuases the admin service to stop and gives an application error of 'Dr. Watson' stuff and the server will not accept any accesses either. Has anyone faced that problem and how can it be solved? I would appreciate any information. Thank you in advance, ======================= Hisham Al Saad University of Bahrain ======================= From owner-firewalls-outgoing Tue May 6 03:54:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA20766 for firewalls-outgoing; Tue, 6 May 1997 03:21:47 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA20700 for ; Tue, 6 May 1997 03:21:25 -0700 (PDT) Received: from France.Sun.COM ([129.157.188.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id DAA10647; Tue, 6 May 1997 03:34:42 -0700 Received: from sunaix.France.Sun.COM by France.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id MAA16030; Tue, 6 May 1997 12:21:15 +0200 Received: from galaxia by sunaix.France.Sun.COM (SMI-8.6/SMI-SVR4) id MAA29866; Tue, 6 May 1997 12:21:09 +0200 Date: Tue, 6 May 1997 12:12:55 +0200 (MET DST) From: Eric Deschamps Reply-To: Eric Deschamps Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: Marc Mosko Cc: "Marc D. Jackson" , Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: "Your message with ID" <336E7325.B14CADEA@tear.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In respect to a firewall, you can run gated instead of routed. HP/UX > and IRIX both ship w/ gated (as do others). Sun still only ships > routed. Gated will do OSPF. Firewall-1, for instance, can be > configured to allow OSPF through to the kernel. > > -- > Marc Mosko Email: marc@tear.com > Web: http://www.tear.com/ I am not sure that a firewall should deal with routing at all (and with other stuff as well). I like the idea of building a perimeter defense with a firewall doing only filtering (with states engines) and having some proxies for specific applications. Eric -- Disclaimer: This is my own opinion and not necessarily that of my employer, Sun Microsystems. From owner-firewalls-outgoing Tue May 6 04:09:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA21204 for firewalls-outgoing; Tue, 6 May 1997 03:26:06 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA21101 for ; Tue, 6 May 1997 03:24:59 -0700 (PDT) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id SAA15747; Tue, 6 May 1997 18:30:23 +0300 Date: Tue, 6 May 97 13:18:57 Israel Daylight Time From: Ziv Dascalu Subject: Re: Need to restrict http://www.nude.com and such To: "Richard A. Hill" , firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <2.2.32.19970506061313.0194092c@pop.tiac.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 06 May 1997 02:13:13 -0400 "Richard A. Hill" wrote: > > Well, I'll add my two cents worth in brief. > Unless you are experiencing complaints of email-harrassment, or you have > incidents of "offensive" material being displayed to persons who do now wish > to see it, It is ALWAYS going to cost more in time and energy to play > facist, than you will save. > I have a personal dislike for any kind of censorship that is not > specifically aimed at curbing harrassment. I feel that if your employees, > co-workers, or whatever are being productive and doing their jobs at > expected (or better) levels, then you are getting what you pay them for. > Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. > (or Mama ..) > > Over the last year, I watched a harassment accusation at a former employer's > almost blow up into an expensive court case, but for some common sense from > a judge: > "You say he has offensive materials on the walls of his office?" > "yes" > "Do you work in his office ?" > "no" > "Can you see this material from outside the office ?" > "no" > "Do you ever have to go into his office as part of your job, or has he > ever asked you into his office ?" > "no" > "Well then; I think I have the solution. Don't go into his office" > "But I don't think he should have those pictures on the walls" > "And I don't think this case belongs in court, but we can't get all we > want, now can we." > {Above is very close to actual dialogue" > > By all means, set up logging and tracking procedures to be used if a > harassment or similar complaint is brought, as well as evidencing a policy > of not tolerating sexual bullies, but stay out of other peoples lives as > much as possible. As has already been said, if you are editing content, you > risk being held responsible for what you let through, as much as what you do > not. > > I know this goes against our growing "Big-Brother" syndrome of protecting > people against themselves, but I'll always choose freedom over order > > > Richard > WWW browsing may create a situation where the company site name will be logged on a publicly accessed list of sites that have accessed that specific site. some want to prevent this. on NNTP posting there is a liability for the employer for what postings are done by his employees Ziv Dascalu ABIRNET Active Network Protection http://www.AbirNet.com From owner-firewalls-outgoing Tue May 6 04:25:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA20179 for firewalls-outgoing; Tue, 6 May 1997 03:11:20 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA20153 for ; Tue, 6 May 1997 03:11:05 -0700 (PDT) Received: from France.Sun.COM ([129.157.188.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id DAA09733; Tue, 6 May 1997 03:24:35 -0700 Received: from sunaix.France.Sun.COM by France.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id MAA15731; Tue, 6 May 1997 12:11:09 +0200 Received: from galaxia by sunaix.France.Sun.COM (SMI-8.6/SMI-SVR4) id MAA29813; Tue, 6 May 1997 12:11:03 +0200 Date: Tue, 6 May 1997 12:02:48 +0200 (MET DST) From: Eric Deschamps Reply-To: Eric Deschamps Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts To: "Marc D. Jackson" Cc: Eric.Deschamps@France.Sun.COM, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph In-Reply-To: "Your message with ID" <199705051842.LAA09206@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Perhaps this is a problem with terminology. On one machine if I have > > 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask > 255.255.255.224 the rip updates from the machine contain information > about the various subnets. This would indicate to me that "RIP" *does* > understand subnetting. Are you saying that the packets on port 520 are > *not* RIP updates? > > mj Here is a small part of RFC 1058 : "When a host evaluates information that it receives via RIP, its interpretation of an address depends upon whether it knows the subnet mask that applies to the net. If so, then it is possible to determine the meaning of the address. For example, consider net 128.6. It has a subnet mask of 255.255.255.0. Thus 128.6.0.0 is a network number, 128.6.4.0 is a subnet number, and 128.6.4.1 is a host address. However, if the host does not know the subnet mask, evaluation of an address may be ambiguous. If there is a non-zero host part, there is no clear way to determine whether the address represents a subnet number or a host address. As a subnet number would be useless without the subnet mask, addresses are assumed to represent hosts in this situation. In order to avoid this sort of ambiguity, hosts must not send subnet routes to hosts that cannot be expected to know the appropriate subnet mask. Normally hosts only know the subnet masks for directly-connected networks. Therefore, unless special provisions have been made, routes to a subnet must not be sent outside the network of which the subnet is a part." I think the last line is self explanatory about the fact that RIP does not know about subnet. Another point is if you look at the format of a RIP message (without the header), you can see that there is no entry for the subnet mask : +------------------------------------+ | IP address | +------------------------------------+ | (must be zero) | +------------------------------------+ | (must be zero) | +------------------------------------+ | metric | +------------------------------------+ and in RIP v2 +------------------------------------+ | IP address | +------------------------------------+ | subnet mask | +------------------------------------+ | next hop IP address | +------------------------------------+ | metric | +------------------------------------+ Eric From owner-firewalls-outgoing Tue May 6 05:10:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA29866 for firewalls-outgoing; Tue, 6 May 1997 04:38:27 -0700 (PDT) Received: from mailrelay.tiac.net (mailrelay.tiac.net [199.0.65.237]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA29841 for ; Tue, 6 May 1997 04:38:13 -0700 (PDT) Received: from wotan.icenetsys.com ([206.119.11.248]) by mailrelay.tiac.net (8.8.5/) with SMTP id HAA27506; Tue, 6 May 1997 07:41:51 -0400 (EDT) Message-Id: <2.2.32.19970506124426.0181f8b0@pop.tiac.net> X-Sender: rhill@pop.tiac.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 08:44:26 -0400 To: gcrum@us-state.gov From: "Richard A. Hill" Subject: Re: Need to restrict http://www.nude.com and such Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------------Original Message--------------- > > Well, I'll add my two cents worth in brief. >Unless you are experiencing complaints of email-harrassment, or you have >incidents of "offensive" material being displayed to persons who do now wish >to see it, It is ALWAYS going to cost more in time and energy to play >facist, than you will save. > I have a personal dislike for any kind of censorship that is not >specifically aimed at curbing harrassment. I feel that if your employees, >co-workers, or whatever are being productive and doing their jobs at >expected (or better) levels, then you are getting what you pay them for. >Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. >(or Mama ..) > >Over the last year, I watched a harassment accusation at a former employer's >almost blow up into an expensive court case, but for some common sense from >a judge: > "You say he has offensive materials on the walls of his office?" > "yes" > "Do you work in his office ?" > "no" > "Can you see this material from outside the office ?" > "no" > "Do you ever have to go into his office as part of your job, or has he >ever asked you into his office ?" > "no" > "Well then; I think I have the solution. Don't go into his office" > "But I don't think he should have those pictures on the walls" > "And I don't think this case belongs in court, but we can't get all we >want, now can we." >{Above is very close to actual dialogue" > >By all means, set up logging and tracking procedures to be used if a >harassment or similar complaint is brought, as well as evidencing a policy >of not tolerating sexual bullies, but stay out of other peoples lives as >much as possible. As has already been said, if you are editing content, you >risk being held responsible for what you let through, as much as what you do >not. > >I know this goes against our growing "Big-Brother" syndrome of protecting >people against themselves, but I'll always choose freedom over order > > >Richard > At 07:00 5/6/97 PDT, you wrote: >Richard, I agree with you in principal, as I have many things >that I can do with my time, but understand something here. >If I employ someone to do a job, and instead of doing his job, >he goes out on the internet and looks at porno all day, he isn't >being productive is he. It really isn't a porno issue. He could >just as easily be getting 200 emails a day from some list server >with jokes on it. It really doesn't matter. He is stealing from >me. Now, if I have hundreds of employees doing the same thing, >I have really cut into my bottom line. I have seen certain times >when one user on several lists has tied up email so badly, that >they have rendered the email server useless, and everyone else is >effected because of one or two users hogging the existing bandwidth. >I don't like it either, but it is the world we work in. Now if >recent legal cases are any indication, if this guy sits on the net >all day, and starts sending threatening emails or sexually oriented >material via my system, I can be liable for this in court and could >be sued. Far fetched? Not hardly, it has already been done. I think >it is a prudent action to monitor content. Just think what the press >would do if they found out that the vice President was using white house >computers to solicit funds for re-election. Whoops, he did, and might >just have to resign for it, or maybe go to jail for his crimes or something. >You see, sticking our heads into the sand is not the only answer available. >Sometimes costs are not measured in dollars and cents. Yes, but bandwidth issues can be dealt with using technical solutions. It is not a matter of sticking your head in the sand. YOu miss my point. It will ALWAYS cost more for you to paternalize. I mentioned having the logging and tracing in effectd for just such a legal problem as you bring up. The key is that I am NOT wasting the time or energy having these logs or traces touched UNTIL someone brings a complaint. THEN you have the facts to disprove or support the complaint. It's like the Israeli solution to terrorism during the 1973 six day war which worked very well but was not deemed "Acceptable" by later ministers or the US. You WILL be searched and your luggage examined. We WILL cart your ass off in a bag if we find explosives or weapons. Your rights are not being violated because we do NOT care what else we find, drugs, money, etc. These are none of our business. 1 My business is running my business and keeping it safe legally and economically. 2 My business is NOT overseeing my employees every move. 3 If I hire someone, I expect them to do their job. 4 If I cannot tell if they are doing their job, I should not have mine. 5 If they are doing their job, then what else they do on their breaks or lunches is NONE OF MY BUSINESS unless they are doing something (sending threatening emails or sexually oriented material via my system,) which effects my company, or my employers legally. 6 If they are so good at their job that they have time to surf the web, they'll eventually get so bored they'll look for more productive ways to use their time. 7 If they are NOT so good at their job, it will be noticable (see #4) and I can take steps over productivity. and THAT will not cause any issues with other employees, like censoring emails or web traffiking. The issue again is Big Brother-ism, not ignoring illegal practices. Richard ###################################################################### Richard A. Hill ICE Networking Systems rhill@icenetsys.com "If you know what's good for you, you do NOT know what is good for me" "Freedom is a touchy issue when every touch takes some away". ###################################################################### From owner-firewalls-outgoing Tue May 6 06:10:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08938 for firewalls-outgoing; Tue, 6 May 1997 06:08:27 -0700 (PDT) Received: from truth.mccallie.chattanooga.tn.us (truth.mccallie.chattanooga.tn.us [205.244.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA08931 for ; Tue, 6 May 1997 06:08:21 -0700 (PDT) Received: from elewis.mccallie.chattanooga.tn.us (elewis.mccallie.chattanooga.tn.us [205.244.24.27]) by truth.mccallie.chattanooga.tn.us (8.6.11/8.6.9) with SMTP id JAA12868 for ; Tue, 6 May 1997 09:10:47 -0400 Message-Id: <3.0.1.32.19970506091057.0071143c@205.244.24.2> X-Sender: elewis@205.244.24.2 X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 06 May 1997 09:10:57 -0400 To: firewalls@GreatCircle.COM From: Elise Lewis Subject: RE: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft's Internet Explorer works with ratings supplied by RSACi. As I understand it, this is all part of the PICS initiative. But if you block at all, IE blocks all unrated sites as well as sites whose ratings put them in categories you want to block. Further info on PICS: http://www.w3.org/pub/WWW/PICS/ Further info on RSACi: http://www.rsac.org/index.cfm Elise Lewis elewis@mccallie.chattanooga.tn.us Information Systems Director The McCallie School 423-493-5885 (voice) 500 Dodds Avenue 423-629-2852 (fax) Chattanooga, TN 37404 From owner-firewalls-outgoing Tue May 6 06:24:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA06942 for firewalls-outgoing; Tue, 6 May 1997 05:39:12 -0700 (PDT) Received: from hq.si.net (hq.si.net [192.156.192.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06878 for ; Tue, 6 May 1997 05:38:51 -0700 (PDT) Received: from hq.si.net (hq [192.156.192.10]) by hq.si.net (8.8.5/8.7.3) with SMTP id IAA13079; Tue, 6 May 1997 08:42:41 -0400 (EDT) Date: Tue, 6 May 1997 08:42:41 -0400 (EDT) From: Ming Lu To: "Marc D. Jackson" cc: Eric.Deschamps@France.Sun.COM, dechon@CS.Stanford.EDU, Jerald.Josephs@Ebay.Sun.COM, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com, drexx@pspi.com.ph Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts In-Reply-To: <199705051842.LAA09206@Xenon.Stanford.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 May 1997, Marc D. Jackson wrote: > Eric Deschamps writes: > > > > > > > > > > 2] How will VLSM make firewalling administration any easier/better ? > > > > > > > > > > > > > No, but it will make it easier to subnet your intranet without > > > > loosing precious IP addresses to a subnet without enough > > > > hosts to use all of the addresses. > > > > > > ? I don't understand this last sentence. My exposure to VLSM indicates > > > that it has nothing to do with subnetting your intranet. I ran into > > > this problem when trying to route with rip. Specifically, Sun's > > > implementation of the routing socket interface is not the industry > > > standard. In other words, when you use a Sun machine as a multi-homed > > > host with subnetted networks the rip updates are incorrect. The routers > > > that we used had no problems at all in dealing with the subnetted > > > networks, therefore while we were able to subnet our intranet we had > > > problems with using Sun's as any type of router. > > > > > > mj > > > > Marc, > > > > It seems that VLSM stands for "variable-length subnet mask", so it looks like > > it has to do with subnetting your intranet. RIP has no knowledge of subnet > > Perhaps this is a problem with terminology. On one machine if I have > > 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask > 255.255.255.224 the rip updates from the machine contain information > about the various subnets. This would indicate to me that "RIP" *does* > understand subnetting. Are you saying that the packets on port 520 are > *not* RIP updates? > > mj > RIP does understand "traditional" subnet masks(classfull), but not VLSM. mlu From owner-firewalls-outgoing Tue May 6 06:39:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11060 for firewalls-outgoing; Tue, 6 May 1997 06:32:17 -0700 (PDT) Received: from gw.genre.com (genre.com [204.149.79.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA11029 for ; Tue, 6 May 1997 06:32:09 -0700 (PDT) From: ygerman@genre.com Received: by gw.genre.com id AA12071 (General Re Group SMTP Gateway 3.0 for firewalls@greatcircle.com); Tue, 6 May 1997 09:34:05 -0400 Received: by gw.genre.com (Internal Mail Agent-1); Tue, 6 May 1997 09:34:05 -0400 X-Lotus-Fromdomain: GRN@INTERNET To: firewalls@greatcircle.com Message-Id: <8525648F.0049CA6C.00@grcstm-nt07.genre.com> Date: Tue, 6 May 1997 09:30:22 -0400 Subject: RE: Need to restrict http://www.nude.com and such Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yury German@GRN 05/06/97 09:30 AM Does anyon know about how the rating advisory works and if by changing the advisory in the browser someone would be able to simulate the content advisor through a local web/content server for other sites? > The Microsoft Content Advisor only works with sites that > have a registered Content ID applied to the HTML. > Sorry for the lack of facts and links to references but for the content advisor to work properly the HTMLer needs to submit their Webpage to a Content Advisory > Commity and they determine what rating it is given. From owner-firewalls-outgoing Tue May 6 06:42:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05457 for firewalls-outgoing; Tue, 6 May 1997 05:23:41 -0700 (PDT) Received: from firewall.centro.org (firewall.centro.org [207.127.155.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA05432 for ; Tue, 6 May 1997 05:23:26 -0700 (PDT) Received: by firewall.centro.org; id HAA10406; Tue, 6 May 1997 07:58:14 -0400 (EDT) Received: from centro.org(207.127.155.21) by firewall.centro.org via smap (V3.1.1) id xma010404; Tue, 6 May 97 07:58:11 -0400 Received: by centro-02.centro.org with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC59F6.E0A72AD0@centro-02.centro.org>; Tue, 6 May 1997 08:24:12 -0400 Message-ID: From: "Rajunas, John" To: "'firewalls@GreatCircle.COM'" Subject: FW: Need to restrict http://www.nude.com and such Date: Tue, 6 May 1997 08:24:11 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is my 2 cents on this subject: It is the responsibility of Company management to define a policy in which it's employees function and decide how that policy will be implemented. At CNYRTA, we have a written users policy that specifically forbids the access of pornographic or offensive material, or any material which a co-worker may find offensive. This policy is enforced 2 ways. First, as MIS Manager, I implement our http: access policy using our firewall system. I do not restrict any site, but I log all outbound http requests and can review that log from time to time. If I see a dramatic increase in access to what I believe are pornographic sites, I send an e-mail to all users stating this increase and remind them of the policy and the punishment for it's violation (which includes termination). Therefore, the company has proper documentation that the behavior is not acceptable and that all employees are notified on the occasion of first getting network access, and again when an increase in restricted activity is detected. After the e-mail, activity tends to drop off. Second, I take the time to remind the managers and employees at all levels why the company has made the investment to have access to the Internet, and train network users in the proper business use of the access. Luckily, I work for a relatively small company, so this plan is fairly easy to implement. I believe it is unreasonable for network professionals to be asked to become the "thought police" for an organization. However, We are the providers of necessary tools, and it falls to us to insure the tool is used to the benefit of the organization. John B. Rajunas MIS Manager Central NY Regional Transportation Authority Syracuse, NY USA >---------- >From: Ziv Dascalu[SMTP:ziv@AbirNet.com] >Sent: Tuesday, May 06, 1997 9:18 AM >To: Richard A. Hill; firewalls@GreatCircle.COM >Subject: Re: Need to restrict http://www.nude.com and such > > >--- On Tue, 06 May 1997 02:13:13 -0400 "Richard A. Hill" > wrote: >> >> Well, I'll add my two cents worth in brief. >> Unless you are experiencing complaints of email-harrassment, or you have >> incidents of "offensive" material being displayed to persons who do now >>wish >> to see it, It is ALWAYS going to cost more in time and energy to play >> facist, than you will save. >> I have a personal dislike for any kind of censorship that is not >> specifically aimed at curbing harrassment. I feel that if your employees, >> co-workers, or whatever are being productive and doing their jobs at >> expected (or better) levels, then you are getting what you pay them for. >> Enough ! Their privacy overrules any sqeamish desire of yours to play Papa. >> (or Mama ..) >> >> Over the last year, I watched a harassment accusation at a former >>employer's >> almost blow up into an expensive court case, but for some common sense from >> a judge: >> "You say he has offensive materials on the walls of his office?" >> "yes" >> "Do you work in his office ?" >> "no" >> "Can you see this material from outside the office ?" >> "no" >> "Do you ever have to go into his office as part of your job, or has he >> ever asked you into his office ?" >> "no" >> "Well then; I think I have the solution. Don't go into his office" >> "But I don't think he should have those pictures on the walls" >> "And I don't think this case belongs in court, but we can't get all we >> want, now can we." >> {Above is very close to actual dialogue" >> >> By all means, set up logging and tracking procedures to be used if a >> harassment or similar complaint is brought, as well as evidencing a policy >> of not tolerating sexual bullies, but stay out of other peoples lives as >> much as possible. As has already been said, if you are editing content, >>you >> risk being held responsible for what you let through, as much as what you >>do >> not. >> >> I know this goes against our growing "Big-Brother" syndrome of protecting >> people against themselves, but I'll always choose freedom over order >> >> >> Richard >> > >WWW browsing may create a situation where the company site name will be >logged on >a publicly accessed list of sites that have accessed that specific site. >some want to prevent this. >on NNTP posting there is a liability for the employer for what postings are >done by >his employees > >Ziv Dascalu >ABIRNET Active Network Protection http://www.AbirNet.com > > From owner-firewalls-outgoing Tue May 6 07:55:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20667 for firewalls-outgoing; Tue, 6 May 1997 07:41:28 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA20658 for ; Tue, 6 May 1997 07:41:23 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 17923 invoked by uid 1001); 6 May 1997 14:43:32 -0000 Message-ID: <19970506144332.17922.qmail@hanshan.bbnplanet.com> Subject: Re: Config Files To: davidal@moloc.cps.unizar.es (David Alayeto Salvador) Date: Tue, 6 May 1997 10:43:32 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "David Alayeto Salvador" at May 6, 97 08:53:26 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would like to see some examples of some of the configuration files > needed to set up a firewall properly. > Brent Chapman has a book out through O'Reilly Associates entitled "Building Internet Firewalls" which is pretty good.. Cheswick & Bellovin also have a great book out. You can also get Brent to come out to your site do some consulting, etc.. He's a pretty good speaker although I think he can tighten up his firewall a little more, but then that's just me. -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Tue May 6 08:10:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21539 for firewalls-outgoing; Tue, 6 May 1997 07:54:04 -0700 (PDT) Received: from igwpc5.paribas.com ([155.140.123.60]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA21532 for ; Tue, 6 May 1997 07:53:58 -0700 (PDT) Received: from igwpc4.paribas.com (155.140.123.61) by igwpc5.paribas.com (Integralis SMTPRS 1.51) with SMTP id ; Tue, 06 May 1997 14:34:07 +0000 Received: from ccMail by igwpc4.paribas.com (IMA Internet Exchange 2.01 Enterprise) id 36F402B0; Tue, 6 May 97 15:28:59 +0100 MIME-Version: 1.0 Date: Tue, 6 May 1997 15:07:06 +0100 Message-Id: <36F402B0.@paribas.com> From: Francois_ARCASEDDA@paribas.com (Francois ARCASEDDA) Subject: chat tcp/ip ports To: firewalls@greatcircle.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello there, What are the tcp/udp ports involved in the chat protocol ? What shall we open to be able to use MS netmeeting ? Best regards Francois ARCA-SEDDA Banque PARIBAS London. From owner-firewalls-outgoing Tue May 6 08:25:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21639 for firewalls-outgoing; Tue, 6 May 1997 07:56:01 -0700 (PDT) Received: from pdx.com.my (pdx.com.my [192.228.144.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA21581 for ; Tue, 6 May 1997 07:55:40 -0700 (PDT) Received: from wsm.pdx.com.my by pdx.com.my with smtp (Smail3.1.29.1 #3) id m0wOlbX-000BGNC; Tue, 6 May 97 22:52 GMT+0800 Message-ID: <336F470E.21EA@pdx.com.my> Date: Tue, 06 May 1997 22:58:22 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Need to restrict http://www.nude.com and such] Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <336D3883.751A@pdx.com.my> Date: Mon, 05 May 1997 09:31:47 +0800 From: Wong Organization: CSNet X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: "Eric V. Smith" CC: dura@geocities.com, ziv@AbirNet.com Subject: Re: Need to restrict http://www.nude.com and such References: <01BC58B0.DF0052C0@carew.windsor.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Good Morning guys! Eric V. Smith wrote: > > Gabriel Dura said: > > < about restricting access to sites based on content > > > > The MS Internet Explorer have such an option about restricting the > > access to violence and pornography... Too bad they have so many security > > bugs... It could have been succesfully used in this case... The idea is > > good but the implementation is bad... > > In what way is the implementation bad? Do you have some facts or pointers you could share? > > Eric. Want to have something to ponder about? Try the website below . . . http://www.infoworld.com/cgi-bin/displayStory.pl?970424.entfix.htm http://www.news.com/News/Item/0%2C4%2C10065%2C00.html?nd If it has no bugs, It isn't a M$@&^Soft product. http://www5.zdnet.com/zdnn/content/zdnn/0430/zdnn0002.html Surely, Mr. Smith, you must have heard about your colleagues and friends complaining about security holes in their browser, system hangs, system crashes, etc. From owner-firewalls-outgoing Tue May 6 08:39:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21060 for firewalls-outgoing; Tue, 6 May 1997 07:45:26 -0700 (PDT) Received: from namsa.nato.int (ddnfw0.namsa.nato.int [147.36.201.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA20939 for ; Tue, 6 May 1997 07:44:51 -0700 (PDT) Received: by ddnfw0.namsa.nato.int id <17031-1>; Tue, 6 May 1997 16:49:53 +0100 Message-Id: <97May6.164953gmt+0100.17031-1@ddnfw0.namsa.nato.int> Date: Tue, 6 May 1997 15:48:19 +0100 From: Thierry GUINET X-Mailer: Mozilla 3.0 (X11; I; HP-UX A.09.05 9000/735) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Need to restrict http://www.nude.com and such References: <3.0.1.32.19970506091057.0071143c@205.244.24.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I may add my $.02, why not having a look at Secure Computing's SmartFilter. Whe are using it and are pretty happy of the quality of the product. Cheers, Thierry -- Thierry Guinet IS Security Officer, Namsa Luxembourg T.Guinet@namsa.nato.int Phone: +352/30.63-6812 Fax: +352/30.87.21 In order to create an apple pie from scratch, you must first create the universe. Carl Sagan From owner-firewalls-outgoing Tue May 6 08:39:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA26298 for firewalls-outgoing; Tue, 6 May 1997 08:34:06 -0700 (PDT) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA26279 for ; Tue, 6 May 1997 08:33:57 -0700 (PDT) Received: by brimstone.rnb.com; id LAA05157; Tue, 6 May 1997 11:36:16 -0400 Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma004959; Tue, 6 May 97 11:35:55 -0400 Received: from monarch.rnb.com (monarch [150.1.29.115]) by relay.rnb.com (8.8.5/8.8.4) with SMTP id LAA16468 for ; Tue, 6 May 1997 11:35:54 -0400 (EDT) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message-ID: X-Mailer: XFMail 1.1 [p0] on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Tue, 06 May 1997 11:30:24 -0400 (EDT) Organization: Republic National Bank From: Ken Kempster To: firewalls Subject: Communication requirements for Compuserve Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know what the communication requrements are for passing Compuserve's app. ver. 3.02 through a firewall? what is the service port requirements. thanx. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-outgoing Tue May 6 09:29:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA26990 for firewalls-outgoing; Tue, 6 May 1997 08:39:08 -0700 (PDT) Received: from noah.minimed.com ([206.149.231.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA26963 for ; Tue, 6 May 1997 08:38:55 -0700 (PDT) Received: from ceres.minimed.com by noah.minimed.com (SMI-8.6/SMI-SVR4) id IAA05184; Tue, 6 May 1997 08:38:35 -0700 Received: from martinb by ceres.minimed.com (SMI-8.6/SMI-SVR4) id IAA03935; Tue, 6 May 1997 08:39:47 -0700 Message-Id: <2.2.32.19970506153931.006ca6d8@ceres+> X-Sender: martinb@ceres+ X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 May 1997 08:39:31 -0700 To: firewalls@greatcircle.com From: Martin Brooks Subject: Firewall platform Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are looking at purchasing a Firewall which will also support encryted domains. But, I am a little unsure about what to spec for a platform. I was think of a Sparc 20 with 64MB of memory. Do you think I need more CPU power ? Thanks -Martin From owner-firewalls-outgoing Tue May 6 09:39:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA27638 for firewalls-outgoing; Tue, 6 May 1997 08:43:58 -0700 (PDT) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA27629 for ; Tue, 6 May 1997 08:43:50 -0700 (PDT) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Tue, 6 May 97 10:46:15 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@GreatCircle.COM Date: Tue, 6 May 1997 10:47:50 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Config Files Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <336f5248332f002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: pnash@hanshan.bbnplanet.com > Subject: Re: Config Files > To: davidal@moloc.cps.unizar.es (David Alayeto Salvador) > Date: Tue, 6 May 1997 10:43:32 -0400 (EDT) > Cc: firewalls@GreatCircle.COM David Alayeto Salvador says.... > > > > I would like to see some examples of some of the configuration files > > needed to set up a firewall properly. > > Paul Nash says.... > > Brent Chapman has a book out through O'Reilly Associates entitled > "Building Internet Firewalls" which is pretty good.. Cheswick & Bellovin > also have a great book out. You can also get Brent to come out to your > site do some consulting, etc.. He's a pretty good speaker although I > think he can tighten up his firewall a little more, but then that's just > me. "The Internet at 56K and Up" from O'Reilly also has some examples. [funny how that O'Reilly name keeps coming up, eh?] Still though, doesn't your firewall configuration depend upon your security policies? This will vary by organization I would think. Actually (in a recent article in April EDPACS) I suggest auditing from the firewall / router table back to policy to test for compliance to policy....since the firewall / router table represents security as it is actually being enforced. The question I wished to raise with this approach is how many technicians are setting access policy? ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University if AC 765 doesn't work, try 317 * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 All views are my own and do not reflect Purdue University policy. From owner-firewalls-outgoing Tue May 6 09:56:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29065 for firewalls-outgoing; Tue, 6 May 1997 08:52:39 -0700 (PDT) Received: from gatekeeper.eastman.com (gatekeeper.eastman.com [164.89.253.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29017 for ; Tue, 6 May 1997 08:52:28 -0700 (PDT) Received: by gatekeeper.eastman.com; id LAA27967; Tue, 6 May 1997 11:58:09 -0400 (EDT) Received: from emngw1.eastman.com(164.89.254.2) by gatekeeper.eastman.com via smap (3.2) id xma027926; Tue, 6 May 97 11:57:56 -0400 Received: by eastman.com id AA13809 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Tue, 6 May 1997 11:55:27 -0400 Received: from ntmcon01.emn.com by eastman.com with SMTP id AA44014 (5.67b/SMI-4.1 for ); Tue, 6 May 1997 11:55:27 -0400 Received: by ntmcon01.emn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC5A14.6A5AC2B0@ntmcon01.emn.com>; Tue, 6 May 1997 11:55:38 -0400 Message-Id: From: Owens Blaine To: "'Francois_ARCASEDDA@paribas.com'" , "'firewalls@greatcircle.com'" Subject: RE: chat tcp/ip ports Date: Tue, 6 May 1997 11:53:27 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Port 6667 Blaine Owens bowens@eastman.com >-----Original Message----- >From: Francois_ARCASEDDA@paribas.com [SMTP:Francois_ARCASEDDA@paribas.com] >Sent: Tuesday, May 06, 1997 10:07 AM >To: firewalls@greatcircle.com >Subject: chat tcp/ip ports > > Hello there, > > What are the tcp/udp ports involved in the chat protocol ? > What shall we open to be able to use MS netmeeting ? > > Best regards > Francois ARCA-SEDDA > Banque PARIBAS London. From owner-firewalls-outgoing Tue May 6 10:28:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA07419 for firewalls-outgoing; Tue, 6 May 1997 10:02:42 -0700 (PDT) Received: from proof.rain.fr (proof.rain.fr [194.51.3.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA07399 for ; Tue, 6 May 1997 10:02:35 -0700 (PDT) Received: from pc1.ecritel.fr (pc1.ecritel.fr [193.105.29.1]) by proof.rain.fr (8.8.5/8.8.5) with SMTP id TAA04810 for ; Tue, 6 May 1997 19:13:08 +0200 (MET DST) Received: from ppp3e.ecritel.fr by pc1.ecritel.fr id aa13899; 6 May 97 19:04 METDST From: philippe fournier To: Firewalls@greatcircle.com MMDF-Warning: Parse error in original version of preceding line at pc1.ecritel.fr Subject: Re: Firewalls-Digest V6 #191 Date: Tue, 6 May 1997 19:03:25 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <9705061904.aa13899@pc1.ecritel.fr> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL > From owner-firewalls-outgoing Tue May 6 11:08:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05585 for firewalls-outgoing; Tue, 6 May 1997 09:42:24 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA05578 for ; Tue, 6 May 1997 09:42:18 -0700 (PDT) Received: from ftp.com by ftp.com ; Tue, 6 May 1997 12:44:47 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Tue, 6 May 1997 12:44:47 -0400 Received: from nepal.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id MAA17131; Tue, 6 May 1997 12:41:28 -0400 Message-Id: <199705061641.MAA17131@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM To: firewalls@greatcircle.com Cc: mgagne@ftp.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: Shishir belbase Subject: Quick Question regarding CISCO load balancing ! Date: Tue, 06 May 1997 12:52:27 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any help in this subject would be appreciated. I have a scenario where the client PCs are receiving out of sequence packet= s and I am wondering what I can do to solve the problem. Local token Ring = LAN has a CISCO 4000 router with two redundant outgoing Frame Relay links. = Once the load increases on one FR interface, the router will start sending= packets through the other FR interface. One FR link is slower than the ot= her one. No problem. However, the client PC on the other (receiving) side = has only one "out of sequence packet" buffer available and can only keep tr= ack of only one out of seqence packets. =20 Token Ring------CISCO----------FR Cloud------------------------------------= ------------------CISCO---Token Ring LAN | | |-----------FR Cloud---------------------------------------------------= ------| My question is this. Is there any way to configure the CISCO router so tha= t it sends packets through the same link for established hosts/clients con= nections ? Thanks ! From owner-firewalls-outgoing Tue May 6 11:14:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA01733 for firewalls-outgoing; Tue, 6 May 1997 09:07:08 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA01713 for ; Tue, 6 May 1997 09:06:59 -0700 (PDT) Received: from cayman.gblhorizon.com ([206.86.247.28]) by mail1.noc.netcom.net (8.8.5/8.8.5) with SMTP id JAA16537 for ; Tue, 6 May 1997 09:04:37 -0700 (PDT) Received: by cayman.gblhorizon.com (SMI-8.6/SMI-SVR4) id LAA07191; Tue, 6 May 1997 11:00:23 -0500 Date: Tue, 6 May 1997 11:00:22 -0500 (CDT) From: Ken Jones To: firewalls@greatcircle.com Subject: DNS 4.9.5 hack and patches In-Reply-To: <336F470E.21EA@pdx.com.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone hear about a supposed hack to 4.9.5 DNS? I've heard this allows the attacker to change the contents of the DNS cache. One use would be to point the address of a web server to an alternate site. Any difinitive info out there? Ken Jones EDB, Inc. From owner-firewalls-outgoing Tue May 6 11:44:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA15337 for firewalls-outgoing; Tue, 6 May 1997 10:58:56 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA15235 for ; Tue, 6 May 1997 10:58:36 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id TAA00997 for ; Tue, 6 May 1997 19:00:44 +0200 Date: Tue, 6 May 1997 19:00:44 +0200 (MET DST) From: Arjan Vos To: firewalls@greatcircle.com Subject: What are these ports??? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Could somebody tell me what the following ports are for and/or whether vulnerabilities are introduced if TCP-connections can be made to them over the Internet??? I already checked out RFC1700 and did searches via Altavista but was unable to find something useful on these ports... 2001 (File Service Protocol or dc?) 4001 9001 1024 1352 (Lotus Notes) Thanks, Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue May 6 12:55:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA25591 for firewalls-outgoing; Tue, 6 May 1997 12:07:21 -0700 (PDT) Received: from emout16.mail.aol.com (emout16.mx.aol.com [198.81.11.42]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA25525 for ; Tue, 6 May 1997 12:06:58 -0700 (PDT) From: PHATCAPS@aol.com Received: (from root@localhost) by emout16.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id PAA27873; Tue, 6 May 1997 15:09:21 -0400 (EDT) Date: Tue, 6 May 1997 15:09:21 -0400 (EDT) Message-ID: <970506150911_-666197069@emout16.mail.aol.com> To: pfournier@pl7conseil.fr, Firewalls@greatcircle.com Subject: Re: Firewalls-Digest V6 #191 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk would someone please tell me how I can get rid of these stupid firewalls things...I hate this. I cant get rid of them..please tell mE!!!!!!!!!! From owner-firewalls-outgoing Tue May 6 13:10:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02428 for firewalls-outgoing; Tue, 6 May 1997 13:06:46 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA02383 for ; Tue, 6 May 1997 13:06:32 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 18373 invoked by uid 1001); 6 May 1997 20:08:28 -0000 Message-ID: <19970506200828.18372.qmail@hanshan.bbnplanet.com> Subject: Re: DNS 4.9.5 hack and patches To: kenj@cayman.gblhorizon.com (Ken Jones) Date: Tue, 6 May 1997 16:08:27 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Ken Jones" at May 6, 97 11:00:22 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Anyone hear about a supposed hack to 4.9.5 DNS? > I've heard this allows the attacker to change > the contents of the DNS cache. One use would be > to point the address of a web server to an alternate > site. > > Any difinitive info out there? Your probably refering to the easibility in guessing the query ID and sending fake responses back to the requesting server.. Steve Bellovin had a paper on this back in '90 aswell as someone at Purdue. SNI just put out another paper about this & a buffer overflow if I remember correcty.. They're at http://www.secnet.com/ -Paul ---- Paul Nash I speak for myself, not for my employer. BBN Planet (617) 873-6604 pnash@bbnplanet.com From owner-firewalls-outgoing Tue May 6 13:10:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA18167 for firewalls-outgoing; Tue, 6 May 1997 11:16:42 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA18143 for ; Tue, 6 May 1997 11:16:35 -0700 (PDT) Received: (from jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.8.5/8.8.2) id OAA28711; Tue, 6 May 1997 14:19:04 -0400 (EDT) To: firewalls@greatcircle.com Subject: fw1 with lots of sessions Mime-Version: 1.0 (generated by tm-edit 7.105) Content-Type: text/plain; charset=US-ASCII From: Jeff Murphy Date: 06 May 1997 14:19:03 -0400 Message-ID: Lines: 21 X-Mailer: Gnus v5.4.46/XEmacs 20.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk looking to hear of experiences by people who use fw1 for the following: more than 1000 sessions concurrently thru it (authenticated users) using one of: NAT, filtering or proxying. we'd be interested in hearing about experiences including hardware configurations, performance issues, etc. (this is in regards to the recent datacomm article showing degradation of performance after about 48 clients). thanks, jeff jcmurphy@smurfland.cit.buffalo.edu The datacomm article is at http://www.data.com/lab_tests/firewalls97.html the performance graph is at http://www.data.com/lab_tests/images/firewalls97_figure1.html From owner-firewalls-outgoing Tue May 6 13:30:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA22501 for firewalls-outgoing; Tue, 6 May 1997 11:46:45 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA22465 for ; Tue, 6 May 1997 11:46:29 -0700 (PDT) Received: from ftp.com by ftp.com ; Tue, 6 May 1997 14:48:55 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Tue, 6 May 1997 14:48:55 -0400 Received: from nepal.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id OAA29502; Tue, 6 May 1997 14:45:36 -0400 Message-Id: <199705061845.OAA29502@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM To: firewalls@greatcircle.com Cc: mgagne@ftp.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: Shishir belbase Subject: Quick Question regarding CISCO load balancing ! Take 2 Date: Tue, 06 May 1997 14:56:36 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any help in this subject would be appreciated. =20 I have a scenario where the client PCs are receiving out of sequence packe= ts and I am wondering what I can do to solve the problem. Local token Ring LAN has a CISCO 4000 router with two = redundant outgoing Frame Relay links.=20 Once the load increases on one FR interface, the router will start sending= packets through the other FR interface.=20 One FR link is slower than the other one. No problem. However, the client= PC on the other (receiving) side has only one "out of sequence packet" buffer available and can only keep track of o= nly one out of seqence packets. =20 =20 Token Ring------CISCO----------FR Cloud-----------------------------------= -------------------CISCO---Token Ring LAN | | |-----------FR Cloud--------------------------------------------------= -------| =20 My question is this. Is there any way to configure the CISCO router so th= at it sends packets through the same link=20 for established hosts/clients connections ? =20 =20 Thanks ! - shishir From owner-firewalls-outgoing Tue May 6 13:32:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA03169 for firewalls-outgoing; Tue, 6 May 1997 13:10:28 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA03090 for ; Tue, 6 May 1997 13:10:04 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id OAA21998; Tue, 6 May 1997 14:58:03 -0400 Date: Tue, 6 May 1997 14:57:58 -0400 (EDT) From: Rabid Wombat To: "Pon, Edwin" cc: "smtp:firewalls-digest@greatcircle.com" Subject: Re: who are you? In-Reply-To: <"0740D3368B6A8036*/c=US/admd=MCI/prmd=SCN/o=ROLM/ou=SC/ou=MSMail Users/s=Pon/g=Edwin/"@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Should we filter him, or assimilate him? -Rabid Borgbat On 1 May 1997, Pon, Edwin wrote: > I'm an email administrator at my company and am trying to track down some > undeliverable message problems. firewalls-digest@greatcircle.com seems to > be related to some email that is not being delivered t Larry Sherman. Larry > Sherman left our company over a year ago and apparently left a few loose > ends that need cleaning up. If you are a real person, or an extremely > intelligent machine, what is this firewall-digest thing? Thank you for your > help. > From owner-firewalls-outgoing Tue May 6 13:57:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA07296 for firewalls-outgoing; Tue, 6 May 1997 13:39:12 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA03647 for ; Tue, 6 May 1997 13:14:13 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id VAA01518 for ; Tue, 6 May 1997 21:16:22 +0200 Date: Tue, 6 May 1997 21:16:22 +0200 (MET DST) From: Arjan Vos To: firewalls@greatcircle.com Subject: Re: What are these ports??? - In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to my own mail - totally overlooked it: 2001, 4001 and 9001 are cisco-specific ports....This is what you get when you are so focussed on something you forget to appreciate and use what you already know :-)) Still leaves my question what does port 1024 do - is it an application port? - and what vulnerabilities are introduced when port 1352 for Lotus Notes can be reached over the Internet. Gr. Arjan On Tue, 6 May 1997, Arjan Vos wrote: > Hi, > > Could somebody tell me what the following ports are for and/or whether > vulnerabilities are introduced if TCP-connections can be made to them over > the Internet??? I already checked out RFC1700 and did searches via > Altavista but was unable to find something useful on these ports... > > 2001 (File Service Protocol or dc?) > 4001 > 9001 > 1024 > 1352 (Lotus Notes) > > Thanks, > > Arjan Vos > > -- > Eat hard > Sleep hard > Wear glasses if you need them > -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue May 6 14:35:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA07450 for firewalls-outgoing; Tue, 6 May 1997 13:40:24 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA07414 for ; Tue, 6 May 1997 13:39:55 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id NAA27879 for ; Tue, 6 May 1997 13:45:36 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA05541; Tue, 6 May 97 13:43:43 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id NAA07258 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Tue, 6 May 1997 13:43:08 -0700 (PDT) Message-Id: <199705062043.NAA07258@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 281BB1265DA264458825648F00702FBD; Tue, 6 May 97 13:43:07 EDT To: Arjan Vos Cc: firewalls From: Ryan Russell/SYBASE Date: 6 May 97 13:28:36 EDT Subject: Re: What are these ports??? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: http://www.sockets.com/services.htm dc 2001/tcp wizard 2001/udp curry 1024/tcp Reserved 1024/udp Reserved Not terribly useful, eh? Could they be a database program running at an arbitrary port? I wouldn't be terribly happy putting holes in for them without whomever is asking for it telling me what they are. Ryan ---------- Previous Message ---------- To: firewalls cc: From: arjan@pino.demon.nl (Arjan Vos) @ smtp Date: 05/06/97 07:00:44 PM Subject: What are these ports??? Hi, Could somebody tell me what the following ports are for and/or whether vulnerabilities are introduced if TCP-connections can be made to them over the Internet??? I already checked out RFC1700 and did searches via Altavista but was unable to find something useful on these ports... 2001 (File Service Protocol or dc?) 4001 9001 1024 1352 (Lotus Notes) Thanks, Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue May 6 14:53:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA01086 for firewalls-outgoing; Tue, 6 May 1997 12:56:41 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA01076 for ; Tue, 6 May 1997 12:56:27 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id NAA17046; Tue, 6 May 1997 13:09:45 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id MAA08972; Tue, 6 May 1997 12:57:55 -0700 Received: by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id MAA13391; Tue, 6 May 1997 12:57:29 -0700 Date: Tue, 6 May 1997 12:57:29 -0700 From: Jerald.Josephs@Ebay.Sun.COM (Jerald Josephs) Message-Id: <199705061957.MAA13391@althea.EBay.Sun.COM> To: marc@tear.com Subject: Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts Cc: dechon@CS.Stanford.EDU, firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: P1GH2iGNfPxeVKAYBX02uQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > In respect to a firewall, you can run gated instead of routed. HP/UX > > and IRIX both ship w/ gated (as do others). Sun still only ships > > routed. Gated will do OSPF. Firewall-1, for instance, can be > > configured to allow OSPF through to the kernel. > > > > -- > > Marc Mosko Email: marc@tear.com > > Web: http://www.tear.com/ > > I am not sure that a firewall should deal with routing at all (and with other > stuff as well). I like the idea of building a perimeter defense with a > firewall doing only filtering (with states engines) and having some proxies > for specific applications. > > Eric > -- > Disclaimer: This is my own opinion and not necessarily that of my > employer, Sun Microsystems. > > I completely agree that a firewall should not run any routing protocols and depend upon static routes. Routing protocols learn about routes. Routes change, so the routing table changes. What are the differant ways that a route can change? What if a route changes because some cracker has created that change? What if the packets from your network are routed to some unknown destination that is pretending to be the valid destination? --- jerald From owner-firewalls-outgoing Tue May 6 15:22:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA07434 for firewalls-outgoing; Tue, 6 May 1997 13:40:23 -0700 (PDT) Received: from mail.siemenscom.com ([206.154.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA07388 for ; Tue, 6 May 1997 13:39:40 -0700 (PDT) Received: from pobox.rolm.com (gate.siemenscom.com [206.154.192.3]) by mail.siemenscom.com (8.8.5/8.6.10) with ESMTP id NAA00357 for ; Tue, 6 May 1997 13:39:47 -0700 (PDT) Received: from x400gate.rolm.com by pobox.rolm.com (X.400 to RFC822 Gateway); Tue, 6 May 1997 13:41:30 -0700 X400-Received: by mta ROLM-MTA in /c=US/admd=MCI/prmd=SCN/; Relayed; 06 May 1997 13:41:26 -0700 X400-Received: by /c=US/admd=MCI/prmd=SCN/; Relayed; 06 May 1997 13:41:26 -0700 X400-MTS-Identifier: [/c=US/admd=MCI/prmd=SCN/; 04889336F977600B-ROLM-MTA] Content-Identifier: 04889336F977600B Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Edwin.Pon@pnna.rolm.com X400-Recipients: non-disclosure; Message-Id: <"04889336F977600B*/c=US/admd=MCI/prmd=SCN/o=ROLM/ou=SC/ou=MSMail Users/s=Pon/g=Edwin/"@MHS> Date: 06 May 1997 13:41:26 -0700 From: "Pon, Edwin" To: "smtp:firewalls-digest@greatcir" (IPM Return requested) Subject: FW: who are you? MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all of you for your assistance. The problem has been fixed. I apologize to all of you for the traffic that I created. Thanks for not flaming me, as one of the respondents expressed concern over. ---------- From: Rabid Wombat To: Pon, Edwin Cc: smtp:firewalls-digest@greatcir Subject: Re: who are you? Date: Tuesday, May 06, 1997 1:12PM Should we filter him, or assimilate him? -Rabid Borgbat On 1 May 1997, Pon, Edwin wrote: > I'm an email administrator at my company and am trying to track down some > undeliverable message problems. firewalls-digest@greatcircle.com seems to > be related to some email that is not being delivered t Larry Sherman. Larry > Sherman left our company over a year ago and apparently left a few loose > ends that need cleaning up. If you are a real person, or an extremely > intelligent machine, what is this firewall-digest thing? Thank you for your > help. > From owner-firewalls-outgoing Tue May 6 16:06:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA04430 for firewalls-outgoing; Tue, 6 May 1997 13:18:37 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA04398 for ; Tue, 6 May 1997 13:18:25 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id NAA24562 for ; Tue, 6 May 1997 13:24:00 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA00761; Tue, 6 May 97 13:22:05 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id NAA04264 for @sybgate.sybase.com:Firewalls@GreatCircle.COM; Tue, 6 May 1997 13:21:31 -0700 (PDT) Message-Id: <199705062021.NAA04264@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id A6322C1D491BE4818825648F00651873; Tue, 6 May 97 13:21:31 EDT To: Firewalls From: Ryan Russell/SYBASE Date: 6 May 97 11:25:39 EDT Subject: Re: Firewalls-Digest V6 #191 X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk He must not realize that, with the way he worded his sentence, he's actually asking for more mail... Ryan ---------- Previous Message ---------- To: Firewalls cc: From: pfournier@pl7conseil.fr (philippe fournier) @ smtp Date: 05/06/97 07:03:25 PM Subject: Re: Firewalls-Digest V6 #191 PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL PLEASE STOP TO SEND ME MAIL > From owner-firewalls-outgoing Tue May 6 16:55:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA28482 for firewalls-outgoing; Tue, 6 May 1997 15:49:44 -0700 (PDT) Received: from blue.thrunet.net (ns2.thrunet.net [206.98.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA28428 for ; Tue, 6 May 1997 15:49:29 -0700 (PDT) Received: by blue.thrunet.net (950511.SGI.8.6.12.PATCH526/940406.SGI.AUTO) for id RAA18050; Tue, 6 May 1997 17:46:24 -0500 Message-Id: <199705062246.RAA18050@blue.thrunet.net> Received: from unknown(172.16.23.72) by blue.thrunet.net via smap (g3.0.1) id sma018047; Tue, 6 May 97 17:46:13 -0500 From: "Robert J. Strickler" To: Subject: private networks & IP tunneling Date: Tue, 6 May 1997 17:52:46 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1160 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is our understanding of a IP tunneling correct? We should be able encapsulate traffic bound for hosts on private networks at each side (whose endpoints have routable IP's) of a VPN (virtual private network) tunnel and sending them through the internet without their addresses being blocked by intervening routers. Will M$ PPTP and/or Altavista VPN software perform this service? 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 TIA, bob From owner-firewalls-outgoing Tue May 6 17:10:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21969 for firewalls-outgoing; Tue, 6 May 1997 15:11:18 -0700 (PDT) Received: from reflections.eng.mindspring.net (reflections.eng.mindspring.net [207.69.183.9]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA20603 for ; Tue, 6 May 1997 15:01:06 -0700 (PDT) Received: (qmail 3357 invoked by uid 514); 6 May 1997 21:03:31 -0000 Date: Tue, 6 May 1997 17:03:31 -0400 (EDT) From: Todd Graham Lewis To: PHATCAPS@aol.com cc: Firewalls Mailing List Subject: Re: Firewalls-Digest V6 #191 In-Reply-To: <970506150911_-666197069@emout16.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997 PHATCAPS@aol.com wrote: > would someone please tell me how I can get rid of these stupid firewalls > things...I hate this. I cant get rid of them..please tell mE!!!!!!!!!! echo "help" | mail majordomo@greatcircle.com su cat clue > /dev/brain; rm -rf / __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From owner-firewalls-outgoing Tue May 6 17:24:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21459 for firewalls-outgoing; Tue, 6 May 1997 15:06:24 -0700 (PDT) Received: from silence.secnet.com ([199.185.231.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21295 for ; Tue, 6 May 1997 15:05:31 -0700 (PDT) Received: from localhost (huger@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id QAA09634; Tue, 6 May 1997 16:12:07 -0600 (MDT) Date: Tue, 6 May 1997 16:12:07 -0600 (MDT) From: Alfred Huger To: Ken Jones cc: firewalls@GreatCircle.COM Subject: Re: DNS 4.9.5 hack and patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997, Ken Jones wrote: > > Anyone hear about a supposed hack to 4.9.5 DNS? > I've heard this allows the attacker to change > the contents of the DNS cache. One use would be > to point the address of a web server to an alternate > site. > > Any difinitive info out there? > Ken Jones > EDB, Inc. > > Ken, ftp://ftp.secnet.com/pub/advisories/SNI-12.BIND.advisory From owner-firewalls-outgoing Tue May 6 22:54:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA28787 for firewalls-outgoing; Tue, 6 May 1997 22:51:38 -0700 (PDT) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id WAA28780 for ; Tue, 6 May 1997 22:51:31 -0700 (PDT) Received: from demo.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.81) with SMTP id ; Wed, 07 May 1997 15:50:28 +1000 Received: by demo.networx.com.au with Microsoft Mail id <01BC5AFD.5BC823C0@demo.networx.com.au>; Wed, 7 May 1997 15:43:07 +1000 Message-ID: <01BC5AFD.5BC823C0@demo.networx.com.au> From: "Mr. Leon OBrien" To: "'firewalls@greatcircle.com'" Subject: Packet Capturing Date: Wed, 7 May 1997 15:43:04 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope someone could help with the folowing request: I would like to capture packets coming in through my ISDN so that i can=20 determine why our link is being flooded, however i am trying to = determine how to do this easily.... I am runnning a XYPLEX N3000 router with a Basic ISDN.=20 If anyone has experience with this it would be great if you could pass = on some information. I am unsure whether the router can log the packets to a specified host, = or whether it can display information about the packets on the fly = (highly unlikely). The router documentation is very sparce. For it to really work wouldn't i have to have a system between the ISDN = and the router?? One with two network cards?? As you can see i don't quite know where to start :-) Any assistance is appreciated, Leon O'Brien NetWorx Pty Ltd leon@networx.com.au From owner-firewalls-outgoing Tue May 6 23:54:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA02058 for firewalls-outgoing; Tue, 6 May 1997 23:40:29 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA02034 for ; Tue, 6 May 1997 23:39:50 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA06343; Wed, 7 May 1997 08:41:50 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA00561; Wed, 7 May 1997 08:41:49 +0200 (MET DST) Date: Wed, 7 May 1997 08:41:49 +0200 (MET DST) From: David Alayeto Salvador To: gcrum@us-state.gov cc: Firewalls@GreatCircle.COM Subject: RE: Config Files In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for your interest, but I was not uninformed. I just didn't understand the whole concept of Firewall, but I do know all -almost all- about configurations. You forgot to talk about screened hosts or screened subnets, which allow the dual homed host to not to be dual - it's not necessary since it's connected directly to the internal network and it has nothing to do with packet filtering, just has to redirect the internal traffic to a router which does the packet filtering tasks. Hence better is to use a peripheral network to be the home of the bastion host, which is isolated by two routers, one connecting to the internal network and the other to the Internet. I just don't know about configuring IN A REAL NET those items which are part of the firewall. I would like to see some config files of a router, or the file hosts.allow or hosts.deny, etc. Thank you for your interest. ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Wed May 7 00:09:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA02276 for firewalls-outgoing; Tue, 6 May 1997 23:54:00 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA02254 for ; Tue, 6 May 1997 23:53:21 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id IAA06436; Wed, 7 May 1997 08:55:08 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id IAA00592; Wed, 7 May 1997 08:55:07 +0200 (MET DST) Date: Wed, 7 May 1997 08:55:07 +0200 (MET DST) From: David Alayeto Salvador To: Ziv Dascalu cc: Firewalls@GreatCircle.COM Subject: Re: Config Files In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you for your interest, Ziv. I dont mind the firewall, I want some examples to figure out how it works. I know the theory, but not the practice. I would like to see any modified client service program, or some config files of a router part of a firewall, and stuff of that kind. If you could provide me with some examples - even if they are not real, I would be grateful. Thank you in advance, ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-outgoing Wed May 7 00:24:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA03060 for firewalls-outgoing; Wed, 7 May 1997 00:07:22 -0700 (PDT) Received: from prometeo.cps.unizar.es (prometeo.cps.unizar.es [155.210.29.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA03040 for ; Wed, 7 May 1997 00:06:54 -0700 (PDT) Received: from moloc.cps.unizar.es (moloc.cps.unizar.es [155.210.29.140]) by prometeo.cps.unizar.es (8.7.5/8.7.3) with ESMTP id JAA06511; Wed, 7 May 1997 09:08:46 +0200 (MET DST) Received: from localhost (davidal@localhost) by moloc.cps.unizar.es (8.7.5/8.7.3) with SMTP id JAA00600; Wed, 7 May 1997 09:08:46 +0200 (MET DST) Date: Wed, 7 May 1997 09:08:45 +0200 (MET DST) From: David Alayeto Salvador To: Martin Brooks cc: firewalls@GreatCircle.COM Subject: Re: Firewall platform In-Reply-To: <2.2.32.19970506153931.006ca6d8@ceres+> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Be aware that if your firewall resides in a powerful machine it will be an appetitous object for hackers and crackers to break it. A firewall does not need big amounts of CPU, it just does some routing . What it needs are amounts of memory to provide multiple connections and to run the proxy servers. Remember that simplicity and discretion are part of the security measures you should take. I know of firewalls runnig on 386 machines, no hacker will say "Hey I broke into a 386 machine!!", it has nothing to do. ************************************************* * David Alayeto Salvador * E-mail addresses: * davidal@prometeo.cps.unizar.es * davidal@oja.cps.unizar.es * Quinto de Ingenieria Informatica - CPS ************************************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQBtAjJ3V/gAAAEDAM8Bb3yhVsdnMbjNU0kkfRmaXZlfI5wn50Syhap1/ObBLcQ2 xLdAoGJTYhHjVD89vMRnYdduOSUaHQLifPMJCCJA3wS4ji9mfagrNOgK7jIkU7bO Fjp5tbnP+LTqgMxcKQAFEbQ3RGF2aWQgQWxheWV0byBTYWx2YWRvciA8ZGF2aWRh bEBwcm9tZXRlby5jcHMudW5pemFyLmVzPg== =vuMi -----END PGP PUBLIC KEY BLOCK----- On Tue, 6 May 1997, Martin Brooks wrote: > Hello, > > We are looking at purchasing a Firewall which will > also support encryted domains. But, I am a little > unsure about what to spec for a platform. I was > think of a Sparc 20 with 64MB of memory. > > Do you think I need more CPU power ? > > Thanks -Martin > > From owner-firewalls-outgoing Wed May 7 01:55:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA14353 for firewalls-outgoing; Wed, 7 May 1997 01:41:14 -0700 (PDT) Received: from icarus.nodewarrior.net (icarus.nodewarrior.net [206.117.97.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA14346 for ; Wed, 7 May 1997 01:41:06 -0700 (PDT) Received: from [209.48.67.103] by icarus.nodewarrior.net (post.office MTA v2.0 0813 ID# 0-13116) with SMTP id AAA17485; Wed, 7 May 1997 01:40:22 -0700 Message-ID: <336FD098.41D9@nodewarrior.net> Date: Wed, 07 May 1997 00:45:16 +0000 From: hoff@nodewarrior.net (Christofer Hoff) Reply-To: hoff@nodewarrior.net Organization: NodeWarrior Networks, Inc. X-Mailer: Mozilla 3.01 (Macintosh; I; PPC) MIME-Version: 1.0 To: David Alayeto Salvador CC: Martin Brooks , firewalls@GreatCircle.COM Subject: Re: Firewall platform References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Alayeto Salvador wrote: > > Be aware that if your firewall resides in a powerful machine it will be an > appetitous object for hackers and crackers to break it. And how, pray tell, can you distinguish between my Cray XMP/48 running my favorite firewall vs. the Timex Sinclair ZX-81 my Uncle Bobo runs his firewall on? That is a rediculous assertion. Stealthing the gateway is the first thing we do after installing a firewall. NO Public SNMP, NO direct service provision of ANY kind from the firewall and VERY tight admin. policies are what help keep 'people' from having their way with your firewall devices. > A firewall does > not need big amounts of CPU, it just does some routing . What it needs are > amounts of memory to provide multiple connections and to run the proxy > servers. I'd just LOVE to see your 286 with 128 Mb of RAM running dual FDDI interfaces and desktop-to-firewall DES encryption keep up...this is a blatantly incorrect statement. If this were the case, Cisco 7513 routers would be running the same processors found in my coffee-pot's digital timer! > Remember that simplicity and discretion are part of the security measures > you should take. I know of firewalls runnig on 386 machines, no hacker > will say "Hey I broke into a 386 machine!!", it has nothing to do. I'll agree with the first 14 words, the rest is pure dribble and does NOT answer Martin's queries at all! Martin: we've measured up to a 50% performance hit when utilizing both firewall-firewall and desktop-firewall encryption (using FireWall-1); and the faster the CPU (to a point) the more capable it's forwarding rates, that's why my Sun Ultra 1 outperforms my Sparc 5 running Checkpoint -- each with the same amount of RAM. CHris > > On Tue, 6 May 1997, Martin Brooks wrote: > > > Hello, > > > > We are looking at purchasing a Firewall which will > > also support encryted domains. But, I am a little > > unsure about what to spec for a platform. I was > > think of a Sparc 20 with 64MB of memory. > > > > Do you think I need more CPU power ? > > > > Thanks -Martin > > > > From owner-firewalls-outgoing Wed May 7 02:09:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15450 for firewalls-outgoing; Wed, 7 May 1997 01:56:13 -0700 (PDT) Received: from hosfddi.bragg.army.mil (hosfddi.bragg.army.mil [158.5.3.70]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA15435 for ; Wed, 7 May 1997 01:56:01 -0700 (PDT) Received: from emh5.bragg.army.mil by hosfddi.bragg.army.mil with SMTP (1.38.193.5/16.2) id AA27464; Wed, 7 May 1997 04:54:04 -0400 Received: from DOMAIN9-Message_Server by emh5.bragg.army.mil with Novell_GroupWise; Wed, 07 May 1997 04:54:04 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 May 1997 04:47:29 -0500 From: Susan Rivery To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #204 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My new email address is: riverys@bragg.army.mil If you are a GroupWise user, please remember to put ddn: in front of it, and change any personal groups that my name may be in. Thank you. From owner-firewalls-outgoing Wed May 7 03:39:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA26693 for firewalls-outgoing; Wed, 7 May 1997 03:24:41 -0700 (PDT) Received: from cam053212.student.utwente.nl (cam053212.student.utwente.nl [130.89.226.142]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA26678 for ; Wed, 7 May 1997 03:24:31 -0700 (PDT) Received: by oloon.student.utwente.nl id <51029-30409>; Wed, 7 May 1997 12:26:39 +0200 Date: Wed, 7 May 1997 12:26:35 +0200 (CEST) From: Remco van de Meent X-Sender: remco@cam053212.student.utwente.nl To: "Robert J. Strickler" cc: firewalls@GreatCircle.COM Subject: Re: private networks & IP tunneling In-Reply-To: <199705062246.RAA18050@blue.thrunet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 May 1997, Robert J. Strickler wrote: > Is our understanding of a IP tunneling correct? We should be able > encapsulate traffic bound for hosts on private networks at each side (whose > endpoints have routable IP's) of a VPN (virtual private network) tunnel and > sending them through the internet without their addresses being blocked by > intervening routers. > > Will M$ PPTP and/or Altavista VPN software perform this service? > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 Well.. The setup you describe is the same as I'm using with some friends.. that should work ;0 But I don't know about those products.. To the software, your tunnel is just a point-to-point connection. // Remco van de Meent // email: remco@oloon.student.utwente.nl // www: http://oloon.student.utwente.nl // " Never make any mistaeks. " From owner-firewalls-outgoing Wed May 7 05:09:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03234 for firewalls-outgoing; Wed, 7 May 1997 04:58:32 -0700 (PDT) Received: from netsrv.js-jtf.af.mil ([131.25.48.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA03200 for ; Wed, 7 May 1997 04:58:16 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (JTFCOM) by js-jtf.af.mil (PMDF V5.0-6 #13831) id <01IIKXC8S88W000OCY@js-jtf.af.mil> for firewalls@GreatCircle.COM; Wed, 07 May 1997 08:02:12 -0500 (EST) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BC5ABC.D103A600@jtfcom.js-jtf.af.mil>; Wed, 07 May 1997 08:01:06 -0400 Date: Wed, 07 May 1997 08:01:05 -0400 From: "Engasser, Charlie" Subject: RE: private networks & IP tunneling To: "'Robert J. Strickler'" , "'firewalls@GreatCircle.COM'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PPTP is for the moment a RAS-based implementation, which means that it only works Asynchronously from Client to Server. AltaVista is supposedly a Lan-to-Lan implementation, but if you can get the install routine to work, then more power to you. I've been trying for 2 days now on NT 4.0 and it throws the control panel into an infinite loop. (at least that's what NT is telling me). DEC is for the moment at a loss to explain it. If I ever get Tunnel97 to install I'll post my findings... >-----Original Message----- >From: Robert J. Strickler [SMTP:bstrickler@thrunet.net] >Sent: Tuesday, May 06, 1997 6:53 PM >To: firewalls@GreatCircle.COM >Subject: private networks & IP tunneling > >Is our understanding of a IP tunneling correct? We should be able >encapsulate traffic bound for hosts on private networks at each side >(whose >endpoints have routable IP's) of a VPN (virtual private network) tunnel >and >sending them through the internet without their addresses being blocked >by >intervening routers. > >Will M$ PPTP and/or Altavista VPN software perform this service? > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 > >TIA, bob From owner-firewalls-outgoing Wed May 7 05:24:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA03989 for firewalls-outgoing; Wed, 7 May 1997 05:09:12 -0700 (PDT) Received: from gate.burrups.com (gate.burrups.com [193.130.126.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA03979 for ; Wed, 7 May 1997 05:08:56 -0700 (PDT) Received: from city2.burrups.st-ives.co.uk by gate.burrups.com (SMI-8.6/UUNET PIPEX simple 1.28) id NAA09982; Wed, 7 May 1997 13:05:05 +0100 Received: from [193.32.10.139] by city2.burrups.st-ives.co.uk (SMI-8.6/UUNET PIPEX simple 1.28) id NAA15295; Wed, 7 May 1997 13:08:47 +0100 From: Roger Shoesmith Reply-To: roger@st-ives.co.uk To: leon@networx.com.au cc: Firewalls@GreatCircle.COM Subject: re: Xyplex Router Packet Capture Message-ID: Date: Wed, 07 May 1997 13:13:28 +0100 Delivery-Receipt-To: Roger Shoesmith X-Mailer: Simeon for Macintosh Version 4.1 Build (2) Evaluation X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Leon, The Xyplex N3000 can log IP traffic statistics rather than capturing raw packets. This may help your The displayed data shows the source and destination addresses, protocol types and ports, also the %-age of total volume, e.g.: Xyplex>> ZERO ALL Xyplex>> DEFINE IP TRAFFIC MONITOR ENABLED Xyplex>> SHOW IP TRAFFIC 08-00-87-01-17-12 (X011712) BR/410 Uptime: 192 23:22:57 Destination Source Dest Sourc Address Address Protocol Port Port Interf %Traffic 192.132.10.134 192.132.10.139 Tcp 23 2085 3 (E3) 41.4 192.132.10.126 192.130.126.20 Tcp 1466 8080 1 (E1) 31.4 192.130.126.20 192.132.10.126 Tcp 8080 1466 2 (E2) 18.5 152.220.136.19 192.132.10.143 Udp 35 49742 3 (E3) 7.1 Xyplex>> DEFINE IP TRAFFIC MONITOR DISABLED XypLAN>> You can limit the display to a particular address, port or source interface/range e.g. "SHOW IP TRAFFIC IF 2-3". You can refresh the display continuously using the command "MONITOR IP TRAFFIC". Hit any key to stop the refresh. You should disable traffic monitoring when you are not actually using it because it imposes a load on the router's CPU. Xyplex software and documentation now comes as Acrobat files on CD - the latest one I have is "Internetworking and Media 17 (IM17)", which also has N3000 software version 6.0, March 12 1997, and is Xyplex part number 440-0245G. The hardcopy documentation is available too, but makes a pile about 50 cm high. Hope this info helps Roger ____________________________________________________________ | Roger Shoesmith, Networks Manager, Burrups Ltd, London, UK | | Voice: + (44) 171-902-6284 eMail: roger@burrups.com | | G3Fax: + (44) 171-902-6524 G4Fax: + (44) 171-261-9273 | | Burrups Ltd is the Financial Print Division of St Ives plc | |____________________________________________________________| From owner-firewalls-outgoing Wed May 7 05:54:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07008 for firewalls-outgoing; Wed, 7 May 1997 05:51:26 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA06953 for ; Wed, 7 May 1997 05:51:10 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA15911 for firewalls@greatcircle.com; Wed, 7 May 1997 08:51:22 -0400 (EDT) From: Adam Shostack Message-Id: <199705071251.IAA15911@homeport.org> Subject: BIND 8.1-REL announcement (fwd) To: firewalls@greatcircle.com (Firewalls mailing list) Date: Wed, 7 May 1997 08:51:21 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Forwarded message from Paul A Vixie ----- From ietf-request@ietf.org Tue May 6 19:59:01 1997 Message-Id: <199705062336.QAA13639@wisdom.home.vix.com> X-Authentication-Warning: wisdom.home.vix.com: localhost [127.0.0.1] didn't use HELO protocol To: ietf@CNRI.Reston.VA.US Subject: BIND 8.1-REL announcement Date: Tue, 06 May 1997 16:36:27 -0700 Sender: ietf-request@ietf.org From: Paul A Vixie Source-Info: From (or Sender) name not authenticated. -- Start of PGP signed section. This is the long-awaited successor to BIND Version 4 (i.e., 4.9.5 et al). Many private releases have been run by the BIND developer community, and several public releases have been tested by the Internet community at large. We run BIND 8.1 on the root name server we operate (F.ROOT-SERVERS.NET), and on all of our internal name servers (GW.HOME.VIX.COM, et al). BIND 8.1 is known to be running successfully at UUNET PIPEX (24,000 zones) and a number of other large sites around the 'net. The changes from BIND 8.1-T5B to 8.1-REL are small, but no patch will be released since we would really like the "final cut" to be the only thing on any FTP caches. BIND 8 features are too numerous to mention here, but they include: -> DNS Dynamic Updates (RFC 2136). -> DNS Change Notification (RFC 1996). -> Completely new configuration syntax (and HTML docs for same). -> Flexible, categorized logging system (blackhole lame delegations!). -> IP-address-based access control for queries, zone transfers, and updates that may be specified on a zone-by-zone basis. -> More efficient zone transfers (no fork() on outbound!). -> Improved performance for servers with thousands of zones. -> get*by*() functions can now use Sun NIS if desired/available. -> Many bug fixes, including patches for all known security holes. See the CHANGES file in the source kit for a detailed listing of all changes. Bob and I would like to thank Viraj Bais of Intel for his reference implementation of Dynamic DNS, which 8.1's dynamic DNS is built upon. We'd also like to thank everyone who has sent us bug reports, patches, or operating system ports. The release files are: ftp://ftp.isc.org/isc/bind/src/8.1/bind-contrib.tar.gz ~same as 4.9.5 ftp://ftp.isc.org/isc/bind/src/8.1/bind-contrib.tar.gz.asc PGP sig ftp://ftp.isc.org/isc/bind/src/8.1/bind-doc.tar.gz new HTML,MAN ftp://ftp.isc.org/isc/bind/src/8.1/bind-doc.tar.gz.asc PGP sig ftp://ftp.isc.org/isc/bind/src/8.1/bind-src.tar.gz 8.1 source ftp://ftp.isc.org/isc/bind/src/8.1/bind-src.tar.gz.asc PGP sig Those PGP signatures are signed with the new key, which has been submitted to the MIT key ring a lot of well known signatures on it. It can also be found at along with a lot of other ISC related material that we hope you'll glance through. (If you see it as a crass request for funding, well, we didn't mean it to be "crass".) There is a newish mailing list: . Submit bug reports to it so that both Bob Halley and Paul Vixie will see them, and they will be archived. This is not a mailing list in the traditional sense -- there are no external subscribers. Corresponding security fixes for BIND 4.9.5 will be released shortly, even though the release of BIND 8.1 officially puts BIND 4.9.5 in "end of life." -- End of PGP signed section. ----- End of forwarded message from Paul A Vixie ----- -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed May 7 06:25:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09870 for firewalls-outgoing; Wed, 7 May 1997 06:15:32 -0700 (PDT) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA09851 for ; Wed, 7 May 1997 06:15:22 -0700 (PDT) Message-Id: <199705071315.GAA09851@honor.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA04595; Wed, 7 May 1997 09:14:55 -0400 From: Stan Wnuck Subject: Re: who are you? / Multicast messages To: firewalls-digest@greatcircle.com Date: Wed, 7 May 97 9:14:54 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK! Sorry, I had to do this: I woke up in a Soho doorway A policeman knew my name He said "You can go sleep at home tonight If you can get up and walk away" I staggered back to the underground And the breeze blew back my hair I remember throwin' punches around And preachin' from my chair chorus: Well, who are you? (Who are you? Who, who, who, who?) I really wanna know (Who are you? Who, who, who, who?) Tell me, who are you? (Who are you? Who, who, who, who?) 'Cause I really wanna know (Who are you? Who, who, who, who?) Pete Townsend (The Who) OK! So that I don't waste precious bandwidth, I do have a ligitmate question. I was doing a snoop on my network interfaces of my fire-wall and found these mysterious multicast packets going thru my private side. I was wondering what they are. They produce a lot of traffic. Thanks. ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> * ETHER Type=7465 (Unknown), size = 64 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> (multicast) ETHER Type=9900 (Unknown), size = 52 bytes ? -> * ETHER Type=7465 (Unknown), size = 64 bytes Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > > > Should we filter him, or assimilate him? > > -Rabid Borgbat > > On 1 May 1997, Pon, Edwin wrote: > > > I'm an email administrator at my company and am trying to track down some > > undeliverable message problems. firewalls-digest@greatcircle.com seems to > > be related to some email that is not being delivered t Larry Sherman. Larry > > Sherman left our company over a year ago and apparently left a few loose > > ends that need cleaning up. If you are a real person, or an extremely > > intelligent machine, what is this firewall-digest thing? Thank you for your > > help. > > > From owner-firewalls-outgoing Wed May 7 06:57:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11175 for firewalls-outgoing; Wed, 7 May 1997 06:42:30 -0700 (PDT) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA11166 for ; Wed, 7 May 1997 06:42:22 -0700 (PDT) Received: from us3rmc.pa.dec.com by mail1.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA05222; Wed, 7 May 1997 06:39:59 -0700 Received: from [16.82.160.11] by us3rmc.pa.dec.com (5.65/rmc-22feb94) id AA19465; Wed, 7 May 97 06:25:44 -0700 Received: by siren.cxo.dec.com with Microsoft Exchange (IMC 4.0.837.3) id <01BC5AB7.A8D297E0@siren.cxo.dec.com>; Wed, 7 May 1997 07:24:11 -0600 Message-Id: From: Ernie Beabes To: "'Robert J. Strickler'" , "'firewalls@GreatCircle.COM'" Subject: RE: private networks & IP tunneling Date: Wed, 7 May 1997 07:24:10 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >-----Original Message----- >From: Robert J. Strickler [SMTP:bstrickler@thrunet.net] >Sent: Tuesday, May 06, 1997 4:53 PM >To: firewalls@GreatCircle.COM >Subject: private networks & IP tunneling > >Is our understanding of a IP tunneling correct? We should be able >encapsulate traffic bound for hosts on private networks at each side >(whose >endpoints have routable IP's) of a VPN (virtual private network) tunnel >and >sending them through the internet without their addresses being blocked >by >intervening routers. >[Ernie Beabes] Yes > >Will M$ PPTP and/ >[Ernie Beabes] Can anyone be sure as to M$, today maybe but tomorrow >does bring questions to my mind. > >or Altavista VPN software perform this service? >[Ernie Beabes] AltaVista is a definite, Yes! > > 10.1.2.3--206.xxx.1.xxx-- Internet --206.xxx.2.xxx--10.4.5.6 >[Ernie Beabes] So far so good. > >TIA, bob From owner-firewalls-outgoing Wed May 7 07:55:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15067 for firewalls-outgoing; Wed, 7 May 1997 07:40:55 -0700 (PDT) Received: from gazoo.tidalwave.net (postoffice.tidalwave.net [208.199.94.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA15038 for ; Wed, 7 May 1997 07:40:47 -0700 (PDT) Received: from chris ([208.213.202.36]) by gazoo.tidalwave.net (Netscape Mail Server v2.02) with SMTP id AAA167 for ; Wed, 7 May 1997 10:41:37 -0400 Message-Id: <3.0.1.32.19970507092231.006a9cd4@tidalwave.net> X-Sender: chrisp@tidalwave.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 07 May 1997 09:22:31 -0400 To: firewalls-digest@GreatCircle.COM From: chrisp@tidalwave.net (Chris Pressley) Subject: box sizing for firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may have been addressed many times before, but I'm looking for a discussion on box sizing for firewalls. What is most important for firewalls, i.e. I/O, RAM, CPU, etc. and how does this vary based on the type of firewall in place, i.e. proxy, SOCKS, stateful inspection, UNIX, NT, etc. How do all of these considerations then relate to network bandwidth, both local and wide. For example, is there reason for 100 MB ethernet on a firewall? Thanks, Chris From owner-firewalls-outgoing Wed May 7 08:09:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA15174 for firewalls-outgoing; Wed, 7 May 1997 07:42:20 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA15153 for ; Wed, 7 May 1997 07:42:06 -0700 (PDT) Received: from uucp2.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp2.UU.NET [192.48.96.40]) id QQcona02278; Wed, 7 May 1997 10:44:50 -0400 (EDT) Received: from mop.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Wed, 7 May 1997 10:44:40 -0400 Received: from mailserver.phil.mop.com by mtb.phil.mop.com (4.1/SMI-4.1) id AA29087; Wed, 7 May 97 10:40:16 EDT Received: by mailserver.phil.mop.com (4.1/SMI-4.1) id AA05574; Wed, 7 May 97 10:40:14 EDT Date: Wed, 7 May 1997 10:40:13 -0400 (EDT) From: Craig Donahue To: shishpop@ftp.com Cc: firewalls@greatcircle.com Subject: load balancing question on Cisco Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The answer I would use would be to apply an ACL on one of the outgoing FR interfaces to prevent tcp traffic from your client to exit via that interface. We don't use load balancing so I can not guarantee it will work. Good luck. An example: access-list 170 deny tcp your_client_address any (replace any with endpoint ip# if you know it) int s0.1 access-group 170 out s0.1 = frame interface that you do not want the traffic to go out on. Replace s0.1 with the correct interface This should stop the out of sequence errors (tcp) but it still allows udp and icmp to travel at will across both legs. Craig From owner-firewalls-outgoing Wed May 7 08:25:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA17584 for firewalls-outgoing; Wed, 7 May 1997 08:10:18 -0700 (PDT) Received: from dresden.com (bigbuy.net [209.17.197.39]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA17557 for ; Wed, 7 May 1997 08:09:58 -0700 (PDT) Received: from prelude.dresden.com (prelude.dresden.com [209.17.197.193]) by dresden.com (8.8.5/8.8.5) with SMTP id CAA06060; Wed, 7 May 1997 02:09:36 -0700 Received: by prelude.dresden.com with Microsoft Mail id <01BC5AD7.08308FC0@prelude.dresden.com>; Wed, 7 May 1997 11:08:46 -0400 Message-ID: <01BC5AD7.08308FC0@prelude.dresden.com> From: Robert Augustine To: "'Mr. Leon OBrien'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Packet Capturing Date: Wed, 7 May 1997 11:08:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Leon, You should probably have your Internet Service Provider look into some = kind of packet filtering on their end. Or writing a program to look for = packets with the SYN bit's turned on, out-of-the ordinary ICMP traffic, = or even checking to see if there is too much traffic coming from a = certain host wouldn't be a task at all for anyone who has some decent = network programming experience. It does however depend on the operating = systems you run how easy it would be. If you have any *nix boxes, there = is freely available code and plenty of references on different forms of = denial of service attacks. Detection might be easy however, but = stopping the attacks might be some sort of another problem. Investing = in a good quality firewall might not be stupid considering it would do a = lot of the dirty work for you. Regards, Robert Augustine -- Robert Augustine = Networking = dresden. (770)642-8569 = Programming = com http://www.dresden.com = Security -----Original Message----- From: Mr. Leon OBrien [SMTP:leon@networx.com.au] Sent: Wednesday, May 07, 1997 1:43 AM To: 'firewalls@greatcircle.com' Subject: Packet Capturing I hope someone could help with the folowing request: I would like to capture packets coming in through my ISDN so that i can=20 determine why our link is being flooded, however i am trying to = determine how to do this easily.... I am runnning a XYPLEX N3000 router with a Basic ISDN.=20 If anyone has experience with this it would be great if you could pass = on some information. I am unsure whether the router can log the packets to a specified host, = or whether it can display information about the packets on the fly = (highly unlikely). The router documentation is very sparce. For it to really work wouldn't i have to have a system between the ISDN = and the router?? One with two network cards?? As you can see i don't quite know where to start :-) Any assistance is appreciated, Leon O'Brien NetWorx Pty Ltd leon@networx.com.au From owner-firewalls-outgoing Wed May 7 08:55:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20822 for firewalls-outgoing; Wed, 7 May 1997 08:48:57 -0700 (PDT) Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20805 for ; Wed, 7 May 1997 08:48:41 -0700 (PDT) Received: from guttenberg.correionet.com.br (guttenberg.correionet.com.br [200.246.35.8]) by guttenberg.correionet.com.br (8.7.5/8.7.3) with SMTP id MAA27544 for ; Wed, 7 May 1997 12:49:23 -0300 Date: Wed, 7 May 1997 12:49:23 -0300 (GRNLNDST) From: Bill Coutinho X-Sender: bill@guttenberg.correionet.com.br To: Firewalls Subject: Socks5 hangs in Linux? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a Pentium 166 running Linux 2.0, with 64M RAM and 2G disk. This machine is our proxy server. It runs Squid 1.1.5 and Socks5 v1.0r1, DNS and sendmail 8.7.5. The problem is: every other day, the socks5 daemon hangs, i.e., it stops forking childs, and I have to kill and re-start it to get things working again. With 64M RAM, the swap is hardly, if ever, used, so I think it is not a memory ploblem. Squid is configured to use 8M memory cache. Any guess? TIA! []s, Bill. -- Bill Coutinho mailto:bill@dextra.com.br Dextra Internet Solutions http://www.dextra.com.br/ Campinas, SP - Brazil voice:+55-19-251-3644 From owner-firewalls-outgoing Wed May 7 09:26:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23782 for firewalls-outgoing; Wed, 7 May 1997 09:17:52 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA23775 for ; Wed, 7 May