From owner-firewalls-outgoing Thu Jul 31 23:59:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04963 for firewalls-outgoing; Thu, 31 Jul 1997 14:09:46 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id OAA04922 for firewalls@greatcircle.com; Thu, 31 Jul 1997 14:09:38 -0700 (PDT) Received: from igate1.hac.com (igate1.HAC.COM [192.48.33.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA03496 for ; Tue, 29 Jul 1997 17:36:19 -0700 (PDT) Received: from ca.hughes.com ([192.79.100.120]) by igate1.hac.com (8.8.4/8.8.4) with ESMTP id RAA24087 for ; Tue, 29 Jul 1997 17:37:22 -0700 (PDT) Received: from [147.19.57.48] by ca.hughes.com (Netscape Mail Server v2.02) with ESMTP id AAA26997; Tue, 29 Jul 1997 17:37:33 -0700 X-Sender: nakamura@ca.hughes.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 29 Jul 1997 17:43:53 -0700 To: firewalls@greatcircle.com From: tom@hughes.com (Tom Nakamura) Subject: http user_agent blocking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Encountered a problem with the my.yahoo.com website due to http user_agent blocking at the firewall. Seems that my.yahoo.com checks user_agent to qualify a browser as cookies and tables capable. If it doesn't receive a correct "user_agent" it gives you a web page saying my-yahoo requires cookies. If you send a correct user_agent you can subscribe to my-yahoo. Once subscribed the site does not check user_agent since you are then sending the proper cookies. Have queried Yahoo for clarification but no response to date. Seeking some comments on: 1) pros and cons of blocking transmittal of user_agent (user_agent provides type of browser, version and platform) 2) how widespread user_agent may be used to deny website services 3) any workarounds people may have found Tom Nakamura tom@hughes.com From owner-firewalls-outgoing Fri Aug 1 00:28:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02352 for firewalls-outgoing; Thu, 31 Jul 1997 13:52:55 -0700 (PDT) Received: from trem.cnt.org.br (trem.cnt.org.br [200.19.123.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA02315 for ; Thu, 31 Jul 1997 13:52:36 -0700 (PDT) Received: by trem.cnt.org.br (AIX 3.2/UCB 5.64/4.03) id AA08514; Thu, 31 Jul 1997 17:44:25 -0200 From: ormonde@trem.cnt.org.br (Rodrigo Ormonde) Message-Id: <9707311944.AA08514@trem.cnt.org.br> Subject: Re: FW-1 logs....is this an attack...? To: firewalls@greatcircle.com Date: Thu, 31 Jul 1997 17:44:25 -0200 (GRNLNDDT) In-Reply-To: <33E1236C.14B1@garanti.com.tr> from "Cihan Subasi" at Jul 31, 97 04:44:44 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > When someone accesses our Web server in DMZ I receive the following log > which is logical, > > http 194.242.77.89 WEbServer tcp 7 1036 > > but sometimes I receive the folloving log entry which looks like our web > server is tyring to http outside... > > 1029 Webserver 194.54.33.242 tcp 12 http > > What I understand is prot 80 of my web server is making a request from > 1029 of a remote host... > > Help please, Well, I think the strange log entries are caused by resets sent by your web server (in most times, reset packets come without the ack flag and might get logged as connections request). I have faced this before in another product. Hope this helps. -- Rodrigo de La Rocque Ormonde e-mail: ormonde@cnt.org.br PGP Public key: finger ormonde@cnt.org.br -> Turn your PC into a workstation - Use FreeBSD ! <- From owner-firewalls-outgoing Fri Aug 1 01:38:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA23548 for firewalls-outgoing; Thu, 31 Jul 1997 23:08:18 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA06947 for ; Thu, 31 Jul 1997 21:39:10 -0700 (PDT) Received: from pentagon.io.com (pentagon.io.com [199.170.88.5]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id VAA21319 for ; Thu, 31 Jul 1997 21:10:37 -0700 (PDT) Received: from localhost (cooper@localhost) by pentagon.io.com (8.8.5/8.8.5) with SMTP id XAA17712; Thu, 31 Jul 1997 23:07:16 -0500 (CDT) X-Authentication-Warning: pentagon.io.com: cooper owned process doing -bs Date: Thu, 31 Jul 1997 23:07:16 -0500 (CDT) From: William Cooper To: "Joseph S. D. Yao" cc: firewalls@GreatCircle.COM Subject: Re: FWTK proxys and ... In-Reply-To: <9707311822.AA14080@relay2.cospo.osis.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 31 Jul 1997, Joseph S. D. Yao wrote: > > someone in my company wrote 2 applications called pftp and ptelnet that > > use the application proxy to establish a secure FTP or telnet connection > > in one step. just type 'ptelnet domain.com' and you'll telnet thru the > > proxy. it's been ported by others for use on unixware, solaris, linux (i > > think) and others. if int. i can try and get the source code, or if it's > > proprietary at least some further information. much easier than doing 2 > > steps and no one has to be given a login to the proxy. > > While this is a nice thing to do ... why would anyone ever have had to > have an account on the proxy host? You don't need one to use tn-gw and > ftp-gw! Get those accounts off the proxy host - they're diminishing > your security! Well that's a question lots of ppl are probably asking because you got a little snip happy and cut out the following section of the orig. email i was responding to in which someone suggested telnetting to the firewall (thus req. an acct./login-passwd) and then telnetting from the firewall out... shame on you. > I haven't looked at your configuration, because you can't do either of > these things using the TIS FWTK. In both cases, you must connect to > the firewall bastion host (using 'telnet' or 'ftp', or your commercial > product that uses those products), and from their connect out to the > Internet host that you want to reach. i wasn't advocating giving users acct.s on the firewall by any means, i'm with you on that. > Having said that ... can you send me pointers to the source code for > the various ports? man they've got binaries ported to AIX, SGI, linux, unixware, irix, vms, and some others i didn't even recognize. besides that there's a whole suite of them, they call it 'proxy tools.' the p in front of these stands for proxy as the apps work transparently thru the proxy server, there's pftp, pfinger, pwhois, ptelnet, prlogin and some others i'm forgetting. the one readme i found said copywrite Univ. of Calif. 1988 or something but the network guys swear the stuff is proprietary and was just based on that orig. code long ago. i think there's some info on the apps on the web and i'm trying to get my hands on the docs for anyone who wants them but i'm really not sure what i'll be able to come up w/. i'll keep trying for a while and let you know. on a side note, sure they've got all these fancy proxy tools, and they don't even have /bin/bash! - bill cooper@io.com ====================================================== My .sig: 7-2-97 "... I had to choose between an honest arrogance and a hypocritical humility, and I deliberately chose an honest arrogance, and I've never been sorry." - Frank Lloyd Wright From owner-firewalls-outgoing Fri Aug 1 01:54:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA04181 for firewalls-outgoing; Thu, 31 Jul 1997 23:45:34 -0700 (PDT) Received: from shell5.ba.best.com (shell5.ba.best.com [206.184.139.136]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA04024 for ; Thu, 31 Jul 1997 23:45:01 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shell5.ba.best.com (8.8.5/8.7.3) with SMTP id WAA07431 for ; Thu, 31 Jul 1997 22:45:43 -0700 (PDT) Date: Thu, 31 Jul 1997 22:45:43 -0700 (PDT) From: To: firewalls@greatcircle.com Subject: Taxonomy of TCP Attacks Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eugene Stafford recently interviewed with the San Jose Mercury News and mentioned that there are approx. 135 known TCP/IP exploits. Does anyone know where Eugene got this number from and what exactly are they? I would hate to think that Mr. Stafford is only aware of these 135! Kelly Gibbs From owner-firewalls-outgoing Fri Aug 1 02:09:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA24981 for firewalls-outgoing; Thu, 31 Jul 1997 23:15:05 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA24705 for ; Thu, 31 Jul 1997 23:14:17 -0700 (PDT) Received: from noam (slip463.advantis.net.il [192.116.76.214]) by out2.ibm.net (8.8.5/8.6.9) with ESMTP id GAA35856 for ; Fri, 1 Aug 1997 06:15:46 GMT Message-ID: <33E17F1E.DCEEA006@israelmail.com> Date: Fri, 01 Aug 1997 09:15:58 +0300 From: Noam Rathaus X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: Packets X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a book or any other source that could explain network packets in general (for example the stracture of HTTP / FTP ... packets) or more specific packets like Microsoft's Election packet or any WindowsNET packets. Thanks in advance. -- Thanks Noam Rathaus NT / Exchange / Network Administrator. Certified CNA - Site Builder Network 2 Israel mailto://dolittle@israelmail.com UIN: 486098 (http://www.mirabilis.com) ------------------------------------------------- If you use Netscape get yourself certificated at http://www.verisign.com (for free...) this will enable you to encrypt outgoing email. ------------------------------------------------- From owner-firewalls-outgoing Fri Aug 1 02:23:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA24866 for firewalls-outgoing; Fri, 1 Aug 1997 01:37:33 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA20792 for ; Fri, 1 Aug 1997 01:04:50 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id AAA26483 for ; Fri, 1 Aug 1997 00:42:07 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id JAA09152; Fri, 1 Aug 1997 09:38:43 +0200 Received: from auryn.genua.de(192.109.217.42) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) id sma009150; Fri Aug 1 09:38:16 1997 Received: from perelin.genua.de (perelin.genua.de [192.109.217.105]) by auryn.genua.de (8.8.5/8.8.5) with ESMTP id JAA20256; Fri, 1 Aug 1997 09:38:15 +0200 (CEST) From: Konstantin Agouros Received: (from elwood@localhost) by perelin.genua.de (8.8.5/8.7.3) id JAA13410; Fri, 1 Aug 1997 09:38:15 +0200 (CEST) Message-Id: <199708010738.JAA13410@perelin.genua.de> Subject: Re: SNMP, SunNET Manager and security To: dave@nic.com (Dave Wreski) Date: Fri, 1 Aug 1997 09:38:15 +0200 (CEST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dave Wreski" at "Jul 31, 97 07:32:05 pm" X-Mailer: ELM [version 2.4ME+ PL2 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Hi all. I'm interested in using SunNET SNMP on a few of the machines in > my DMZ. I'm wondering the security implications of using this in my DMZ, > protected at both ends by FW-1. > > Services such as SMTP and DNS come in from the Internet thru our external > firewall. > > I'm not really too familiar with Sun's SNMP, but I understand that SNMP > generally is insecure, correct? Is it suicide to even think about putting > SNMP between the firewall's, in our DMZ? If so, why? SNMP uses the read and write community to determine, if you are allowed to read/write values from/to Devices. These are transmitted in clear text. So if someone breaks into your DMZ, gets access to one of the machines in a level, that he/she can do a tcpdump (or something similar) they get to your communities. If you want to use set-requests (e.g. to write a new config to your router or something like that) than this is probably not what you want. Konstantin > > Thanks, > Dave Wreski > > > -- Dipl. Inf. Konstantin Agouros - elwood@genua.de GeNUA mbh, Raeterstr. 26, 85551 Kirchheim, Germany Tel.: +49 89 99195019 Fax: +49 89 99195099 ---------------------------------------------------- Most people say, "If it ain't broke, don't fix it. For an engineer, if it ain't broke it doesn't have enough features." Scott Adams, The Dilbert Principle From owner-firewalls-outgoing Fri Aug 1 02:28:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA20555 for firewalls-outgoing; Fri, 1 Aug 1997 01:02:45 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA20514 for ; Fri, 1 Aug 1997 01:02:22 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id EAA02923; Fri, 1 Aug 1997 04:04:03 -0400 Date: Fri, 1 Aug 1997 03:40:38 -0500 Subject: Re: DOS firewall? To: firewalls@GreatCircle.COM, Travis Low X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <3.0.32.19970730075724.00a894f4@alterdial.uu.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Travis: Since no one else mentioned us, check out: http://www.iproute.com A couple of benefits with DOS firewalls. These also apply to most real-time OS's. -Don't forget that DOS is still used by Microsoft Windows 95, they just disguise it. -If improperly configured, many firewalls based on other operating systems such as UNIX or Microsoft NT can be subverted and used as a platform to attack its own trusted network (thus the whole discussion on B2 level security). Since these operating systems contain IP stacks independent of the Firewall software, even if the Firewall fails, the IP packets could still get through. -IPRoute/Secure utilizes the DOS operating system to help ensure that if the Firewall software should fail that the firewall system cannot be used to breach the trusted network. IPRoute/Secure is a true, transparent firewall system. This means that there is not an independent IP stack on the system and if the firewall software should fail, there is absolutely no way to get through the network interfaces on the DOS system to the trusted network via any protocol. This provides the most secure of firewall environments: a security kernel approach where the firewall software controls all access to or from the system to the exclusion of all other types of activities (e.g. routing). In this manner, DOS actually complements the security of the product environment. -Because of low system overhead we have one of the fastest VPN IPSec implementations around. -It is pretty crash-proof. We just use DOS for booting and the File I/O. Customers have stuck these Firewalls in a closet for a year without rebooting it. -You can run it on just about any legacy system. A 386 with 1 Meg of RAM will easily handle a 128K ISDN connection for about 20 workstations. -We can boot and run off of a single floppy. -It scales well. Throw a fast Pentium at it with some RAM and you can have multiple 100 megabit interfaces all running at full speed (limited by the Bus of course). We use our own DOS extender and mutlitask code. -Support for a large number of packet drivers (300 at last count including Ethernet, Token Ring, FDDI, V.35, Frame Relay and ISDN). -It is cheap. -Hey, DOS is available just about anywhere in the world, especially Eastern Europe. -Like in real estate, no OS overhead, no OS overhead, no OS overhead ;-) Just our philosophy. We don't claim to be the end-all, be-all of Firewalls. If you want a lot of fine grained control over logs, access, protocols, proxies, etc. then you will probably go with UNIX or NT. We also don't write the packet drivers. You are at the mercy of your NIC vendor for those. BTW, If you haven't figured it out ;-) I do work for 'em. Mike -- 03:40:39 08/01/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Fri Aug 1 02:51:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04654 for firewalls-outgoing; Thu, 31 Jul 1997 14:07:05 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id OAA04643 for firewalls@greatcircle.com; Thu, 31 Jul 1997 14:06:59 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA16945 for ; Tue, 29 Jul 1997 05:02:42 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id IAA08801 for ; Tue, 29 Jul 1997 08:03:54 -0400 (EDT) Message-Id: <199707291203.IAA08801@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Tue, 29 Jul 1997 08:01:11 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Firewalls FAQ Reply-to: mjr@clark.net In-reply-to: <199707290800.BAA16833@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone know where the latest Marcus J. Ranum Firewalls FAQ has gone? - The firewall FAQ and a bunch of related stuff all live in my publications area on http://www.clark.net/pub/mjr/pubs They're not likely to move from there for the next few years; if you've linked to any other copies, please use the URL above. It's not associated with any of my past, present, or future corporate masters and there aren't any incompetent website admins (other than me!) who are going to come along and screw them up. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Fri Aug 1 03:32:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22845 for firewalls-outgoing; Thu, 31 Jul 1997 23:03:50 -0700 (PDT) Received: from shell5.ba.best.com (shell5.ba.best.com [206.184.139.136]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA22821 for ; Thu, 31 Jul 1997 23:03:41 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shell5.ba.best.com (8.8.5/8.7.3) with SMTP id XAA11068 for ; Thu, 31 Jul 1997 23:05:24 -0700 (PDT) Date: Thu, 31 Jul 1997 23:05:24 -0700 (PDT) From: To: firewalls@greatcircle.com Subject: A few more security related URLS's Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall Security Table http://www.data.com/cgi-bin/dynamic/lab_tests/firewalls97_extras2.txt Firewall Review - Lab Test http://www.data.com/lab_tests/firewalls97_participant.html Computer Security Links http://www.ers.ibm.com/security-links/seclinks-lst.html A Taxonomy of Internet Attacks http://www.v-one.com/pubs/attacks/index.html Hostile Applets Source Code http://www.math.gatech.edu/~mladue/SourceCode.html Hackers Catalog http://www.hackerscatalog.com/ Burnt Toad/AK Enterprises http://www.darkening.com/ CyberJihad http://www.eden.com/~tfast/jihad.html Known NT Exploits http://www.emf.net/~ddonahue/NThacks/ntexploits.htm Anonymous E-Mailer - Java based http://www.ozemail.com.au/~geoffk/anon/anon.html UNIX Exploits http://www.enslaver.com/exploit/ 2600 | Who have they hacked now - Muesum of hacked web pages http://www.2600.com/hacked_pages/ HACK NT http://www.ilinks.net/~486578/hack_NT/hacknt.html Stack Smashing Security Vulerabilities http://millcomm.com/~nate/machines/security/stack-smashing/ Matt's UNIX Security Page http://www.deter.com/unix/index.html From owner-firewalls-outgoing Fri Aug 1 03:53:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA24817 for firewalls-outgoing; Fri, 1 Aug 1997 03:35:18 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA24577 for ; Fri, 1 Aug 1997 03:34:01 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id DAA29692 for ; Fri, 1 Aug 1997 03:11:54 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id GAA04350; Fri, 1 Aug 1997 06:08:17 -0400 (EDT) Date: Fri, 1 Aug 1997 06:08:16 -0400 (EDT) From: Brian Mitchell To: Noam Rathaus cc: "firewalls@GreatCircle.COM" Subject: Re: Packets In-Reply-To: <33E17F1E.DCEEA006@israelmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Aug 1997, Noam Rathaus wrote: > Hi, > > I am looking for a book or any other source that could explain > network packets in general (for example the stracture of HTTP / FTP ... > packets) or more specific packets like Microsoft's Election > packet or any WindowsNET packets. > Thanks in advance. tcp/ip illustrated volume 1, tcp/ip illustrated volume 2. For http, try rfc1945 (1.0) and rfc2068 (1.1). For ftp try rfc959. Windows stuff is prob more difficult to find information on, as microsoft is not known for open standards From owner-firewalls-outgoing Fri Aug 1 04:26:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA10216 for firewalls-outgoing; Thu, 31 Jul 1997 12:03:22 -0700 (PDT) Received: from mercury.imxexchange.com ([207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA10195 for ; Thu, 31 Jul 1997 12:03:15 -0700 (PDT) Received: by mercury.imxexchange.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC9DA9.CB7445C0@mercury.imxexchange.com>; Thu, 31 Jul 1997 12:03:44 -0700 Message-ID: From: James Terry To: "'firewalls@greatcircle.com'" Subject: "Destination Static Address Translattion" under Linux using ipfwadm?... Date: Thu, 31 Jul 1997 12:03:41 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ...borrowing a term from the Checkpoint camp. is this possible? how? what does the syntax look like? Where are the docs? thanks, james@imxexchange.com. From owner-firewalls-outgoing Fri Aug 1 04:38:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04608 for firewalls-outgoing; Thu, 31 Jul 1997 11:33:54 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA04526 for ; Thu, 31 Jul 1997 11:33:37 -0700 (PDT) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA00588; Thu, 31 Jul 1997 14:35:11 -0400 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id OAA04061; Thu, 31 Jul 1997 14:33:32 -0400 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199707311833.OAA04061@splinter.rtp.dg.com> Subject: B2 Web Server used at UCSD To: firewalls@greatcircle.com Date: Thu, 31 Jul 1997 14:33:26 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those interested in the use of high assurance firewalls and web servers (B2+), I offer the following information. For further info, see http://medicine.ucsd.edu/pcasso/index.htm and look at the faq, the overview slides (in Powerpoint) and the paper on the system (called PCASSO) presented at the 1997 Annual Computer Security Applications Conference (requires Adobe Acrobat). [I guess if someone wants these items but can't access them, send me email and I'll foreward postscript versions of them.] The UCSD Patient-Centered Access to Secure Systems Online (PCASSO) project was sponsored by the National Library of Medicine (part of NIH). The focus of the project was to "test technical and organizational approaches to safeguarding the confidentiality and acuracy of personally identifiable electronic health data." The requirements for this are pretty much the same as for most internet applications: integrity, confidentialy, non-repudiation and verified authenticaiton. They felt that electronic commerce solutions did not address the following concerns: o Role-based access control o Sensitivity levels o Patient empowerment o "Do no harm" extended to the client environment o High assurance The deployment enviroment consists of: o 267 primary care physicians plus 1300 specials o Country-wide system of 5 hospitals and 45 affiliated community sites o 19,000 annual inpatient admissions o 590,000 annual outpatient visits o multiple legacy systems This is a reasonable configuration for a commercial firewall/web server. You can read more in the paper and overview slides referenced above. Note that the firewall, web server and database server all exist on the same single platform - B2 DG/UX. (The firewall infrastructure is a part of the B2 OS - the filters and such are plugged in as appropriate). -- Jon F. Spencer spencerj@rtp.dg.com Data General Corp. Phone : (919)248-6246 62 Alexander Drive, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 There is no such thing as a small interference with property. Andrew J. Galambos No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From owner-firewalls-outgoing Fri Aug 1 05:08:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09765 for firewalls-outgoing; Fri, 1 Aug 1997 05:00:42 -0700 (PDT) Received: from olinternet.olivetti.fr ([194.250.145.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA09747 for ; Fri, 1 Aug 1997 05:00:33 -0700 (PDT) Received: by olinternet.olivetti.fr with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC9E83.81BF3EF0@olinternet.olivetti.fr>; Fri, 1 Aug 1997 14:02:11 +0200 Message-ID: From: CYGAN Christophe To: "'firewalls@greatcircle.com'" Subject: about architectural design Date: Fri, 1 Aug 1997 14:02:07 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am asking myself where to put our primary DNS server and proxy HTTP : DNS in DMZ or in a FW-1 machine itself ? Proxy in a dedicated PC or in a FW-1 machine if dedicated PC, in serial or paralel in regard of FW-1? Please tell me about Yours experiences or ideas on it. Thanks in advance, here is the sheme depicted Internet: ----------- Router--------------FW-1-----------Proxy HTTP----------------------- Internal LAN | (for caching only)=20 | | DMZ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Christophe Cygan Olsy France 92047 Paris La D=E9fense Cedex T=E9l. [+33] (0)1 49067106 Fax. [+33] (0)1 49068664 e-mail : c.cygan@olivetti.fr ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Fri Aug 1 06:08:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14280 for firewalls-outgoing; Fri, 1 Aug 1997 06:03:08 -0700 (PDT) Received: from power.otago.gda.pl (power.otago.gda.pl [195.116.21.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA14264 for ; Fri, 1 Aug 1997 06:03:00 -0700 (PDT) Received: from birdy (birdy.otago.gda.pl [195.116.21.34]) by power.otago.gda.pl (8.8.4/8.8.4) with ESMTP id PAA09857 for ; Fri, 1 Aug 1997 15:59:37 +0200 Message-Id: <199708011359.PAA09857@power.otago.gda.pl> From: "Piotr Kolodziej" To: Subject: Access-lists and routing performance Date: Fri, 1 Aug 1997 15:07:08 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I want to verify an opinion that number of=20 clauses in access - list can dramatically affect performance of filtering (screening) router. Especially it was told about Cisco routers by someone who pretends to be an authority. But before I have sent this question, I tried to verify it. And it seems, that this is not true... 1. I transfer great file betweeh two 10Mb/s Ethernet subnets connected by Cisco router, using via ftp. I tested cases where at the "input" interface there was no inbound access-list and access-lists with 4, 10 and 20 clauses that should've been processed before proper clause appeared and packed could have been passed. Result ??? In all cases transfer rate was about 770 kB/s=20 - just about the saturation of Ethernet 10Mb/s link ! =20 2. Access-list can be fine optimized, so clauses that are often applied may appear nearly at the beginning of the list, for example: "access-list XXX permit tcp ..... established", with no security holes. That's why I think that such opinion is not true. But, maybe, there are some other experiences ??? Thanks Piotr +----------------------------+ | Piotr Kolodziej | | e-mail: pkol@otago.gda.pl | +-------------------------------------------------+ | ZUI Otago sp. z o.o. | tel/fax: | | ul. Marynarki Polskiej 148 | (+48 58) 43 06 22 | | 80-865 GDANSK, POLAND | (+48 58) 43 05 19 | +-------------------------------------------------+ From owner-firewalls-outgoing Fri Aug 1 06:20:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04734 for firewalls-outgoing; Thu, 31 Jul 1997 14:07:57 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id OAA04709 for firewalls@greatcircle.com; Thu, 31 Jul 1997 14:07:49 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20488 for ; Tue, 29 Jul 1997 08:42:07 -0700 (PDT) Received: from ns1.cq.com (ns1.cq.com [198.67.16.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id IAA19395 for ; Tue, 29 Jul 1997 08:46:32 -0700 (PDT) Received: by ns1.cq.com; id LAA05614; Tue, 29 Jul 1997 11:44:20 -0400 (EDT) Received: from hub.cq.com(198.67.5.98) by ns1.cq.com via smap (3.2) id xma005606; Tue, 29 Jul 97 11:44:09 -0400 Received: from pop.cq.com (pop.cq.com [198.67.5.169]) by hub.cq.com (8.8.2/8.6.12) with ESMTP id LAA06822; Tue, 29 Jul 1997 11:47:48 -0400 (EDT) Received: from hkarim ([206.105.221.244]) by pop.cq.com (8.8.5/8.6.12) with SMTP id LAA28225; Tue, 29 Jul 1997 11:43:04 -0400 (EDT) Message-Id: <3.0.32.19970729114122.0091a5e0@pop.cq.com> X-Sender: hassan@pop.cq.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 29 Jul 1997 11:41:23 +0100 To: "Jay K. Bahel" , "Firewall list" From: Hassan Karim Subject: Re: CheckPoint FireWall-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jay... There is a mailing list just for checkpoint customers... it is called fw-1-mailinglist@us.checkpoint.com subscribe by sending mail to majordomo@us.checkpoint.com with the body of your message saying SUBSCRIBE fw-1-mailinglist Good Luck... The mebers on the list probably have already gone through this before and can offer probable solutions. Hopes this helps. Peace, Hassan At 10:14 PM 7/28/97 -0500, Jay K. Bahel wrote: >I just did an install of CheckPoint FireWall-1 v3.0a on a Compaq ProSignia >300 w/96MB of memory. I note really sluggish administrative utilities, From owner-firewalls-outgoing Fri Aug 1 06:23:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15673 for firewalls-outgoing; Fri, 1 Aug 1997 06:18:28 -0700 (PDT) Received: from portal.east.saic.com (Portal.East.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA15608 for ; Fri, 1 Aug 1997 06:18:12 -0700 (PDT) Received: from blazer.cist.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Aug 1997 13:19:46 UT Received: from beetle (unverified [149.8.156.13]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 01 Aug 1997 08:52:55 -0400 Message-Id: <3.0.32.19970801085348.0094de00@blazer.cist.saic.com> X-Sender: rkoch@blazer.cist.saic.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 01 Aug 1997 08:53:49 -0400 To: spencerj@dg-rtp.dg.com (Jon Spencer) From: Ronald Koch Subject: Re: summary: firewalls and B2 Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >> Depending on how close the revisions of a vendors product are, they may >> has to go through a complete evaluation, or they may be blessed with >> getting into the RAMP program. NSA was also talking of coming out with a >> watered-down evaluation (so Microsoft could get a quick evaluation) >> called TTAP, or something similar. I haven't heard much about it in the >> last year, so maybe someone else could clarify its' status. > >THis is not a correct description of TTAP. The primary purpose of TTAP as >I understand it was to keep company's from submitting for evaluation, >entering VAP (vendor assistance phase) which the vendor can stay in for >decades, say you are in evaluation, and then do nothing. In TTAP, you are >in evaluation when you enter FEP - Formal Evaluation Phase. At this point, >NSA has ensured that most of the work has been completed, all the formal >docs are done, and the system is essentially complete. THEN the NSA >critters do their thing to it. > .... Both descriptions of TTAP are incorrect. The objective of the TTAP program was for NSA to certify commercial evaluation labs who would then be authorized to perform Orange Book product evaluations under direct contract to a vendor. Once the evaluation was completed, assuming the evaluation teams recommendations were accepted by NSA's Technical Review Board and management, the product would then be placed on the same evaluated products list as if NSA had performed the evaluation themselves. The thinking was that if there was a contractual arrangement between vendor and evaluator the evaluation would be quicker because: - the vendor would make sure they were really ready because they would be paying for the evaluation - the commercial evaluation facility would have dedicated resources to apply to the evaluation - both sides would be bound by contract to try to meet the agreed upon schedules. There was one TTAP experiment that ended about a year ago without completing a product evaluation. (It was intended to validate the process, not necessarily complete the evaluation.) As far as I know, the TTAP program is still alive and a number of commercial companies have expressed interest in becoming a TTAP lab, but no one is actually performing a commercial evaluation right now. I think NSA is waiting for the ability to perform lower assurance Common Criteria based evaluations to jump start the program again. ----------------------- Ron Koch Science Applications International Corporation (SAIC) Center for Information Security Technology From owner-firewalls-outgoing Fri Aug 1 07:53:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26831 for firewalls-outgoing; Fri, 1 Aug 1997 07:39:24 -0700 (PDT) Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26823 for ; Fri, 1 Aug 1997 07:39:17 -0700 (PDT) Received: from kgibbs.vip.best.com (kgibbs.vip.best.com [206.86.92.105]) by proxy4.ba.best.com (8.8.5/8.8.3) with SMTP id HAA19841 for ; Fri, 1 Aug 1997 07:40:00 -0700 (PDT) Received: by kgibbs.vip.best.com with Microsoft Mail id <01BC9E4D.424638E0@kgibbs.vip.best.com>; Fri, 1 Aug 1997 07:33:52 -0700 Message-ID: <01BC9E4D.424638E0@kgibbs.vip.best.com> From: "Kelly E. Gibbs" To: "'firewalls@greatcircle.com'" Subject: A few security URL's Date: Fri, 1 Aug 1997 07:33:49 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall Security Table http://www.data.com/cgi-bin/dynamic/lab_tests/firewalls97_extras2.txt Firewall Review - Lab Test http://www.data.com/lab_tests/firewalls97_participant.html Computer Security Links http://www.ers.ibm.com/security-links/seclinks-lst.html A Taxonomy of Internet Attacks http://www.v-one.com/pubs/attacks/index.html Hostile Applets Source Code http://www.math.gatech.edu/~mladue/SourceCode.html Hackers Catalog http://www.hackerscatalog.com/ Burnt Toad/AK Enterprises http://www.darkening.com/ CyberJihad http://www.eden.com/~tfast/jihad.html Known NT Exploits http://www.emf.net/~ddonahue/NThacks/ntexploits.htm Anonymous E-Mailer - Java based http://www.ozemail.com.au/~geoffk/anon/anon.html UNIX Exploits http://www.enslaver.com/exploit/ 2600 | Who have they hacked now - Muesum of hacked web pages http://www.2600.com/hacked_pages/ HACK NT http://www.ilinks.net/~486578/hack_NT/hacknt.html Stack Smashing Security Vulerabilities http://millcomm.com/~nate/machines/security/stack-smashing/ Matt's UNIX Security Page http://www.deter.com/unix/index.html From owner-firewalls-outgoing Fri Aug 1 08:09:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA26808 for firewalls-outgoing; Fri, 1 Aug 1997 07:39:07 -0700 (PDT) Received: from imssc2.sc.intel.com (imssc2.sc.intel.com [143.183.152.8]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA26771 for ; Fri, 1 Aug 1997 07:38:58 -0700 (PDT) Received: from orpheus.sc.intel.com by imssc2.sc.intel.com (8.8.6/10.0i); Fri, 1 Aug 1997 14:40:36 GMT Received: by orpheus.sc.intel.com (8.8.6/10.0i); Fri, 1 Aug 1997 14:45:02 GMT From: sedayao@orpheus.sc.intel.com (Jeff Sedayao) Message-Id: <199708011445.OAA01308@orpheus.sc.intel.com> Subject: Re: Access-lists and routing performance To: pkol@otago.gda.pl (Piotr Kolodziej) Date: Fri, 1 Aug 1997 07:45:02 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199708011359.PAA09857@power.otago.gda.pl> from "Piotr Kolodziej" at Aug 1, 97 03:07:08 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I suggest that you try access lists of thousands of lines where you need to traverse most of the list to get packets through. 20 seems like it is much too small, and if you keep matching the lines at the top, it isn't a fair test of the opinion. Jeff > Hello, > > I want to verify an opinion that number of=20 > clauses in access - list can dramatically affect > performance of filtering (screening) router. > Especially it was told about Cisco routers > by someone who pretends to be an authority. > > But before I have sent this question, I tried to verify > it. And it seems, that this is not true... > > 1. I transfer great file betweeh two 10Mb/s Ethernet subnets > connected by Cisco router, using via ftp. > I tested cases where at the "input" interface there was > no inbound access-list and access-lists with 4, 10 and 20 > clauses that should've been processed before proper clause > appeared and packed could have been passed. > > Result ??? > In all cases transfer rate was about 770 kB/s=20 > - just about the saturation of Ethernet 10Mb/s link ! =20 > > 2. Access-list can be fine optimized, so clauses that > are often applied may appear nearly at the beginning > of the list, for example: > "access-list XXX permit tcp ..... established", > with no security holes. > > > That's why I think that such opinion is not true. > But, maybe, there are some other experiences ??? > > Thanks > > Piotr > > +----------------------------+ > | Piotr Kolodziej | > | e-mail: pkol@otago.gda.pl | > +-------------------------------------------------+ > | ZUI Otago sp. z o.o. | tel/fax: | > | ul. Marynarki Polskiej 148 | (+48 58) 43 06 22 | > | 80-865 GDANSK, POLAND | (+48 58) 43 05 19 | > +-------------------------------------------------+ > > -- Jeff Sedayao Intel Corporation sedayao@orpheus.sc.intel.com From owner-firewalls-outgoing Fri Aug 1 08:26:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29133 for firewalls-outgoing; Fri, 1 Aug 1997 08:11:15 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA29125 for ; Fri, 1 Aug 1997 08:11:09 -0700 (PDT) Received: from alterdial.UU.NET by relay6.UU.NET with ESMTP (peer crosschecked as: alterdial.UU.NET [192.48.96.22]) id QQdasq09516; Fri, 1 Aug 1997 11:13:29 -0400 (EDT) Received: from Travis.MindQ by alterdial.UU.NET with SMTP (peer crosschecked as: [207.78.128.14]) id QQdasq04761; Fri, 1 Aug 1997 11:12:54 -0400 (EDT) Message-Id: <3.0.32.19970801101445.00aa8514@alterdial.uu.net> X-Sender: mail22402@alterdial.uu.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 01 Aug 1997 10:14:46 -0400 To: Firewalls@GreatCircle.COM From: Travis Low Subject: Re: Message replies Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:57 AM 7/31/97 +0200, Craig Faasen wrote: > >Perhaps it would be worth defining a policy regarding questions and replies. > >>...A person who sends a >> question in to this list is expected to collect, summarize, and post the >> answers to that question...The Subject line of the message >> containing the summary should start with the word "SUMMARY"...It would also >> be nice if the original poster kept a copy of this summary in case the >> question comes up again in a few months. >> >> Similarly, ALL ANSWERS to a question should be sent ONLY TO THE ORIGINAL >> POSTER... Sold. Great idea. Thanks. Travis From owner-firewalls-outgoing Fri Aug 1 08:56:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01098 for firewalls-outgoing; Fri, 1 Aug 1997 08:38:49 -0700 (PDT) Received: from power.otago.gda.pl (power.otago.gda.pl [195.116.21.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA01079 for ; Fri, 1 Aug 1997 08:38:31 -0700 (PDT) Received: from birdy (birdy.otago.gda.pl [195.116.21.34]) by power.otago.gda.pl (8.8.4/8.8.4) with ESMTP id SAA05337 for ; Fri, 1 Aug 1997 18:35:05 +0200 Message-Id: <199708011635.SAA05337@power.otago.gda.pl> From: "Piotr Kolodziej" To: Subject: Re: Access-lists and routing performance Date: Fri, 1 Aug 1997 17:42:37 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I suggest that you try access lists of thousands of > lines where you need to traverse most of the list to get packets > through. 20 seems like it is much too small, and if you keep matching = > the lines at the top, it isn't a fair test of the opinion. > ... > Jeff Sedayao > Intel Corporation > sedayao@orpheus.sc.intel.com Sure. I do not suppouse, that there's no sufficient number of lines in access list that slows down the router. But, I suppose, in most cases there's a possibility to place the most heavily used clauses at the beginning of list without making a security hole. Of course, someone may not trust some features, such as "established" key-word in tcp clauses. (I'm not quite sure, but few years ago there was a problem with that. Are there some problems now ?). But if someone trusts it, then the greatest amount of traffic is matched by that clause. So even if there's a need to apply list=20 of thousands of lines, it should not dramatically slow down. Finally, there is a question: Is there a real need to apply such kind of lists, that in case of every=20 packet thousands of lines must be traversed and it can't be optimized = ??? Maybe, there's but I simply do not know it. Piotr=20 +----------------------------+ | Piotr Kolodziej | | e-mail: pkol@otago.gda.pl | +-------------------------------------------------+ | ZUI Otago sp. z o.o. | tel/fax: | | ul. Marynarki Polskiej 148 | (+48 58) 43 06 22 | | 80-865 GDANSK, POLAND | (+48 58) 43 05 19 | +-------------------------------------------------+ From owner-firewalls-outgoing Fri Aug 1 09:09:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA04090 for firewalls-outgoing; Fri, 1 Aug 1997 09:05:08 -0700 (PDT) Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA04002 for ; Fri, 1 Aug 1997 09:04:30 -0700 (PDT) Received: by relay2.cospo.osis.gov (4.1/SMI-4.1) id AA20568; Fri, 1 Aug 97 12:03:32 EDT Message-Id: <9708011603.AA20568@relay2.cospo.osis.gov> Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3) id sma020566; Fri Aug 1 12:03:21 1997 Received: by washington.cospo.osis.gov (1.38.193.4/16.2) id AA28503; Fri, 1 Aug 1997 12:07:59 -0400 From: "Joseph S. D. Yao" Subject: Re: FWTK proxys and ... To: cooper@io.com (William Cooper) Date: Fri, 1 Aug 1997 12:07:58 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "William Cooper" at Jul 31, 97 11:07:16 pm X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > While this is a nice thing to do ... why would anyone ever have had to > > have an account on the proxy host? You don't need one to use tn-gw and > > ftp-gw! Get those accounts off the proxy host - they're diminishing > > your security! > > Well that's a question lots of ppl are probably asking because you got a > little snip happy and cut out the following section of the orig. email i > was responding to in which someone suggested telnetting to the firewall > (thus req. an acct./login-passwd) and then telnetting from the firewall > out... shame on you. > > > I haven't looked at your configuration, because you can't do either of > > these things using the TIS FWTK. In both cases, you must connect to > > the firewall bastion host (using 'telnet' or 'ftp', or your commercial > > product that uses those products), and from their connect out to the > > Internet host that you want to reach. That was me. YES, telnet to the bastion host. NO, you don't need an account and password. You should be running tn-gw on the firewall, not the telnetd! The tn-gw accepts you from the inside, if your IP address has permission to telnet out, and filters your session to the outside world. Same with ftp-gw. I must have been tired ... I entered "from their" instead of "from there". And spell-check didn't even catch it. ;-) Oh for the Writers WorkBench (WWB) of yore. OBTW, where I came from PPL was the Polymorphic Programming Language. ;-) -- Joe Yao jsdy@cospo.osis.gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. From owner-firewalls-outgoing Fri Aug 1 09:23:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05052 for firewalls-outgoing; Fri, 1 Aug 1997 09:14:30 -0700 (PDT) Received: from siu.cen.buap.mx (siu.buap.mx [148.228.1.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA05024 for ; Fri, 1 Aug 1997 09:14:17 -0700 (PDT) Received: by siu.cen.buap.mx (5.x/SMI-SVR4) id AA09870; Fri, 1 Aug 1997 11:27:40 GMT Date: Fri, 1 Aug 1997 11:27:37 +0000 (GMT) From: DOMINGO VARELA YAHUITL X-Sender: ydomingo@siu.buap.mx To: mjr@clark.net Cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls FAQ In-Reply-To: <199707291203.IAA08801@mail.clark.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Marcus, hope you helpme please... I new in are of firewalls and already have install the FWTK TIS, yet how can install the proxy for that my user can to exit with Netscape, Explorer or Mosaic a Internet... I have tha modify the netscape in the options to use proxy??? that's incredible tha can not make, :((( and other question, in my box , to try a internet I have that to make %telnet host where por is 23, yet want make a telnet a my box not is possible the conect, is refused .. and in my private net, to access the firewall the make via por 2323 with success :)) That's correct the that I meke to try a Internet??? thank by you answer... Domingo V. From owner-firewalls-outgoing Fri Aug 1 10:01:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA05119 for firewalls-outgoing; Fri, 1 Aug 1997 09:15:18 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA05110 for ; Fri, 1 Aug 1997 09:15:11 -0700 (PDT) Received: from noam (slip141.advantis.net.il [192.115.219.145]) by out2.ibm.net (8.8.5/8.6.9) with ESMTP id QAA38106; Fri, 1 Aug 1997 16:16:34 GMT Message-ID: <33E20BED.DDF48AB8@israelmail.com> Date: Fri, 01 Aug 1997 19:16:45 +0300 From: Noam Rathaus X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Brian Mitchell CC: "firewalls@GreatCircle.COM" Subject: Re: Packets X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian Mitchell wrote: > > On Fri, 1 Aug 1997, Noam Rathaus wrote: > > > Hi, > > > > I am looking for a book or any other source that could explain > > network packets in general (for example the stracture of HTTP / FTP > ... > > packets) or more specific packets like Microsoft's Election > > packet or any WindowsNET packets. > > Thanks in advance. > > tcp/ip illustrated volume 1, tcp/ip illustrated volume 2. For http, > try > rfc1945 (1.0) and rfc2068 (1.1). For ftp try rfc959. Windows stuff is > prob > more difficult to find information on, as microsoft is not known for > open > standards You got a ISBN for those two books? -- Thanks Noam Rathaus NT / Exchange / Network Administrator. Certified CNA - Site Builder Network 2 Israel mailto://dolittle@israelmail.com UIN: 486098 (http://www.mirabilis.com) ------------------------------------------------- If you use Netscape get yourself certificated at http://www.verisign.com (for free...) this will enable you to encrypt outgoing email. ------------------------------------------------- From owner-firewalls-outgoing Fri Aug 1 11:10:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA18366 for firewalls-outgoing; Fri, 1 Aug 1997 10:26:58 -0700 (PDT) Received: from hanshan.bbnplanet.com (hanshan.bbnplanet.com [199.94.209.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA18337 for ; Fri, 1 Aug 1997 10:26:48 -0700 (PDT) From: pnash@hanshan.bbnplanet.com Received: (qmail 5316 invoked by uid 1001); 1 Aug 1997 17:27:04 -0000 Message-ID: <19970801172704.5315.qmail@hanshan.bbnplanet.com> Subject: Re: FWTK proxys and ... To: jsdy@cospo.osis.gov (Joseph S. D. Yao) Date: Fri, 1 Aug 1997 13:27:04 -0400 (EDT) Cc: cooper@io.com, firewalls@GreatCircle.COM In-Reply-To: <9708011603.AA20568@relay2.cospo.osis.gov> from "Joseph S. D. Yao" at Aug 1, 97 12:07:58 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > That was me. YES, telnet to the bastion host. NO, you don't need an > account and password. You should be running tn-gw on the firewall, not > the telnetd! The tn-gw accepts you from the inside, if your IP address > has permission to telnet out, and filters your session to the outside > world. Same with ftp-gw. > For those who are saying "but how..", he's refering to the authentication features inside Gauntlet's telnet, ftp & http proxy. It supports re-usable passwords, one time passwords, and secure-id aswell. -Paul ---- Paul Nash (617) 873-6604 SitePatrol Implementation Engineer BBN Planet pnash@bbnplanet.com From owner-firewalls-outgoing Fri Aug 1 11:19:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA07068 for firewalls-outgoing; Fri, 1 Aug 1997 09:25:54 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA06954 for ; Fri, 1 Aug 1997 09:25:21 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA48737; Fri, 1 Aug 1997 12:22:24 -0400 Date: Fri, 1 Aug 1997 12:22:24 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9708011622.AA48737@oxygen.house.gov> To: firewalls@GreatCircle.COM, pkol@otago.gda.pl Subject: Re: Access-lists and routing performance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I want to verify an opinion that number of=20 > clauses in access - list can dramatically affect > performance of filtering (screening) router. > Especially it was told about Cisco routers > by someone who pretends to be an authority. > > But before I have sent this question, I tried to verify > it. And it seems, that this is not true... > > [specific test deleted] > > 2. Access-list can be fine optimized, so clauses that > are often applied may appear nearly at the beginning > of the list, for example: > "access-list XXX permit tcp ..... established", > with no security holes. You are right to question the pretend authority. Your test shows similar results to others I have read about. Since much of the performance improvement has occurred with recent versions of the Cisco IOS, the pretend authority may just have old info. It also matters how the access-list is applied. With many router architectures, even with the newer IOS, applying the access-list on inbound traffic instead of outbound traffic drops the switching mode from fast to process. This change disables the optimization of the forwarding process. When process-switching the access-list, the length of the list also matters, although the optimization you described is possible. However, the position of a control rule in the list also determines its precedence of application (there can be conflicts even when it is done right). If raw speed is really needed, and the access-list is long, there is brute force. Cisco has a Silicon Switch Processor for the Cisco 7000 that can autonomously switch (their fastest mode) outbound access-lists at wire speed. We have this operating between FDDI (100 Mbps) links. From owner-firewalls-outgoing Fri Aug 1 11:47:50 1997 Gooday- TCP/IP Illustrated Volume 1 is ISBN 0-201-63346-9,Addison Wesley TCP/IP Illustrated Volume 2 is ISBN 0-201-63354-X,Addison Wesley by Wright - Stevens Both are massive volumes, consumingly thorough. Keith Merrill Nasdaq Network Engineering Systems Team 203-385-4942 >---------- >From: Noam Rathaus[SMTP:dolittle@israelmail.com] >Sent: Friday, August 01, 1997 12:16 PM >To: Brian Mitchell >Cc: firewalls@GreatCircle.COM >Subject: Re: Packets > >Brian Mitchell wrote: >> >> On Fri, 1 Aug 1997, Noam Rathaus wrote: >> >> > Hi, >> > >> > I am looking for a book or any other source that could explain >> > network packets in general (for example the stracture of HTTP / FTP >> ... >> > packets) or more specific packets like Microsoft's Election >> > packet or any WindowsNET packets. >> > Thanks in advance. >> >> tcp/ip illustrated volume 1, tcp/ip illustrated volume 2. For http, >> try >> rfc1945 (1.0) and rfc2068 (1.1). For ftp try rfc959. Windows stuff is >> prob >> more difficult to find information on, as microsoft is not known for >> open >> standards >You got a ISBN for those two books? >-- >Thanks >Noam Rathaus >NT / Exchange / Network Administrator. >Certified CNA - Site Builder Network 2 >Israel >mailto://dolittle@israelmail.com >UIN: 486098 (http://www.mirabilis.com) > >------------------------------------------------- > If you use Netscape get yourself > certificated at http://www.verisign.com > (for free...) this will enable you to encrypt > outgoing email. >------------------------------------------------- > From owner-firewalls-outgoing Fri Aug 1 11:48:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11157 for firewalls-outgoing; Fri, 1 Aug 1997 09:49:01 -0700 (PDT) Received: from deere3-bh.dx.deere.com (deere3-bh.dx.deere.com [207.122.201.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA11107 for ; Fri, 1 Aug 1997 09:48:48 -0700 (PDT) Received: (from uucp@localhost) by deere3-bh.dx.deere.com (8.6.12/8.6.11) id LAA21815; Fri, 1 Aug 1997 11:49:31 -0500 Received: from 192.43.1.3 by deere3-bh.dx.deere.com via smap (3.2) id xma021644; Fri, 1 Aug 97 11:49:17 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id LAA14399; Fri, 1 Aug 1997 11:50:16 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id LAA18724; Fri, 1 Aug 1997 11:50:14 -0500 Message-ID: <33E212A8.DF93D35F@90.deere.com> Date: Fri, 01 Aug 1997 11:45:30 -0500 From: Bertrum Carroll X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" , "fw-1-mailinglist@us.checkpoint.com" Subject: PPTP & FW-1 X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm attempting to setup a FW-1 filter to support PPTP. I'm using FW-1 3.0a on Solaris. PPTP is not defined, how do I seutp a fitler just for PPTP not all IP? Thanks In Advance Bert Carroll From owner-firewalls-outgoing Sat Aug 2 01:30:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15771 for firewalls-outgoing; Sat, 2 Aug 1997 01:25:12 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA15747 for ; Sat, 2 Aug 1997 01:25:03 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA15004; Sat, 2 Aug 1997 11:26:52 +0400 Received: from GarantiUser by GarantiMailServer id AA12054; Sat, 2 Aug 1997 11:26:40 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA16898; Sun, 3 Aug 1997 11:11:26 +0400 Message-Id: <33E37B28.778A@garanti.com.tr> Date: Sat, 02 Aug 1997 11:23:36 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewalls , Checkpoint Mailing List Subject: Installation of Failover Gateway in FW-1 3.0a... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We installed the Failover Gateway to backup our FW-1 3.0a, looks like everything is fine but I have a problem with the machines on DMZ interface...All our internet servers (other than firewall machines) are running on a RS6000 with AIX 4.1.4 but in order to make them see Failover Gateway when master firewall dies we have to give a second default gateway to the AIXs, here is the problem looks like AIX do not take a second default gateway with a higher metric...Anybody can help me to solve the problem? Thanks, -- **************************************************************************** Cihan Subasi, Garanti Ticaret AS,Istanbul Turkey email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 **************************************************************************** From owner-firewalls-outgoing Sat Aug 2 02:30:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA22848 for firewalls-outgoing; Sat, 2 Aug 1997 02:14:51 -0700 (PDT) Received: from ncrhub5.NCR.COM (h192-127-251-11.NCR.COM [192.127.251.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA22833 for ; Sat, 2 Aug 1997 02:14:44 -0700 (PDT) From: sfuller@romeo.unitedkingdom.ncr.com Received: from ncruk.UUCP (ncruk@localhost) by ncrhub5.NCR.COM (8.8.5/8.8.5) with UUCP id FAA27996 for GreatCircle.COM!Firewalls; Sat, 2 Aug 1997 05:15:36 -0400 (EDT) Date: Sat, 2 Aug 1997 05:15:36 -0400 (EDT) Message-Id: <199708020915.FAA27996@ncrhub5.NCR.COM> Received: by ncruk.unitedkingdom.ncr.com; 2 Aug 97 10:22:15 GMT Subject: Absent from the office To: undisclosed-recipients:; Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From Monday 4th August until Friday 15th August I shall be on holiday. I will return Monday 18th. Should your email require immediate attention please resend to cs.cisco@unitedkingdom.ncr.com Regards -- Steve Fuller steve.fuller@unitedkingdom.ncr.com NCR (UK) Ltd. Tel: +44-(0)171-725 8292 CSS Network Services Fax: +44-(0)171-725 8374 206 Marylebone Road. London NW1 6LY [CCIE 1457] From owner-firewalls-outgoing Sun Aug 3 17:15:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA08819 for firewalls-outgoing; Sun, 3 Aug 1997 16:56:16 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA08794 for ; Sun, 3 Aug 1997 16:56:08 -0700 (PDT) Received: from mtshasta.snowcrest.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id TAA07447; Sat, 2 Aug 1997 19:44:47 -0700 (PDT) Received: from kgroup (ttyD10.redding.snowcrest.net [206.245.193.48]) by mtshasta.snowcrest.net (8.8.5/8.6.5) with ESMTP id TAA17873; Sat, 2 Aug 1997 19:47:11 -0700 (PDT) Message-ID: <33E3F2BA.745651B9@snowcrest.net> Date: Sat, 02 Aug 1997 19:53:46 -0700 From: kgroup X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: Verna D Dick , Great Bend Tribune , Alan , "Bob522@aol.com" , "CHOYBOK@aol.com" , Christopher Ray Parrish , "firewalls@greatcircle.com" , "Visionprof@aol.com" , ZWH Subject: [Fwd: [Fwd: Subject: good luck totem]] X-Priority: 3 (Normal) Content-Type: multipart/mixed; boundary="------------5F40FB5388D4E6A79497A865" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------5F40FB5388D4E6A79497A865 Content-Type: text/plain; charset=us-ascii Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit We need all the luck we can get, so here goes!!! --------------5F40FB5388D4E6A79497A865 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: from mailgate22 (mailgate22-hme0.a001.sprintmail.com [205.137.196.54]) by mtshasta.snowcrest.net (8.8.5/8.6.5) with SMTP id XAA28533 for ; Tue, 29 Jul 1997 23:25:18 -0700 (PDT) Received: by mailgate22 (SMI-8.6/SMI-SVR4) id XAA12663; Tue, 29 Jul 1997 23:17:39 -0700 Received: from sdn-ts-004casdiep08.dialsprint.net(206.133.254.75) by mailfep2-hme1 via smap (KC5.24) id Q_10.1.1.6/Q_13144_1_33ded7e4; Tue Jul 29 22:57:56 1997 Message-ID: <33DED6FA.13CF@sprintmail.com> Date: Tue, 29 Jul 1997 22:54:02 -0700 From: Risa Roberta Goldberg Reply-To: risasplace@sprintmail.com X-Mailer: Mozilla 3.01C-SI300B01 (Win95; I) MIME-Version: 1.0 To: valdape@ix.netcom.com, kgroup@snowcrest.net, chezi369@aol.com, ndelaney@adnc.com, ffrey@acad.com, zdrgz@juno.com, katg@juno.com, rsgit@cts.com, MICKEVICH.MARY@NMNH.SI.EDU, NNewk@aol.com Subject: [Fwd: Subject: good luck totem] Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: from unknown(206.171.126.130) by mailgate21-hme2 via smap (KC5.24) id Q_10.1.1.20/Q_10056_1_33de08ca; Tue Jul 29 08:14:18 1997 Received: from NSI.access1.net (san218.access1.net [206.171.126.218]) by ns1.access1.net (2.0 Build 2119 (Berkeley 8.8.4)/8.8.4) with SMTP id IAA01015; Tue, 29 Jul 1997 08:07:41 -0700 Message-ID: <33DE0791.E80@signif.com> Date: Tue, 29 Jul 1997 08:09:05 -0700 From: Marci Bunescu Reply-To: mbunescu@signif.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: jtaylor@grossmont.k12.ca.us, mfj001@aol.com, "James, Pat" , gbunescu@signif.com, edbo@thorin.instanet.com, grassweb@ftel.net, risasplace@sprintmail.com, lglass@sbjrhigh.sbceo.k12.ca.us, darlacox@aol.com, tasegeal@aol.com Subject: Subject: good luck totem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > > >Hawaiian GOOD LUCK TOTEM > \\\|||/// > ========= > - | O O | > / \ \ @'/ > # _| |_ > (#) ( ) > #\//|* *|\\ > #\/( * )/ > # ===== > # (\|/) > # || || > .#.--'| |---.. > #'---' ----' > >This totem has been sent to you for good luck. It has been sent >around the world nine times so far. You will receive good luck >within four days of relaying this totem.. > >Send copies to people you think need good luck. Don't send money as >fate has no price. Do not keep this message.. > >The totem must leave your hands in 96 hours. Send ten copies and see >what happens in four days. You will get a surprise. This is true, >even if you are not superstitious.. > >Good luck, but please remember: 10 copies of this message must leave >your hands in 96 hours... You must not sign on message.... --------------5F40FB5388D4E6A79497A865-- From owner-firewalls-outgoing Sun Aug 3 20:26:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA06787 for firewalls-outgoing; Sun, 3 Aug 1997 18:59:05 -0700 (PDT) Received: from ds1.gl.umbc.edu (ds1.gl.umbc.edu [130.85.3.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA06693 for ; Sun, 3 Aug 1997 18:58:44 -0700 (PDT) Received: from umbc10.umbc.edu (jjasen1@umbc10.umbc.edu [130.85.3.14]) by ds1.gl.umbc.edu (8.8.5/8.6.9) with ESMTP id VAA18357; Sun, 3 Aug 1997 21:59:30 -0400 (EDT) Received: from localhost (jjasen1@localhost) by umbc10.umbc.edu (8.8.5/8.6.9) with SMTP id VAA21041; Sun, 3 Aug 1997 21:59:29 -0400 (EDT) X-Authentication-Warning: umbc10.umbc.edu: jjasen1 owned process doing -bs Date: Sun, 3 Aug 1997 21:59:29 -0400 (EDT) From: "John \"E.R.\" Jasen" To: kgroup cc: "firewalls@greatcircle.com" Subject: Re: [Fwd: [Fwd: Subject: good luck totem]] In-Reply-To: <33E3F2BA.745651B9@snowcrest.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 2 Aug 1997, kgroup wrote: > We need all the luck we can get, so here goes!!! Wow! The Black Magic firewall... Blocks IP addresses and casts curses on the offending site! -- "What do you want?" -- Mr. Morden, Microsoft Sales VP -- John E. Jasen // Systems Alchemist \\ jjasen1@umbc.edu -- -- My views are not those of UMBC, AFAIK. HTH. HAND. -- From owner-firewalls-outgoing Sun Aug 3 20:31:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA22392 for firewalls-outgoing; Sun, 3 Aug 1997 18:12:10 -0700 (PDT) Received: from brickbat8.mindspring.com (brickbat8.mindspring.com [207.69.200.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA22303 for ; Sun, 3 Aug 1997 18:11:53 -0700 (PDT) Received: from ip210.isdn2-new-york4.ny.pub-ip.psi.net (ip210.isdn2-new-york4.ny.pub-ip.psi.net [38.26.38.210]) by brickbat8.mindspring.com (8.8.5/8.8.5) with SMTP id VAA22077; Sun, 3 Aug 1997 21:11:21 -0400 (EDT) Received: by ip210.isdn2-new-york4.ny.pub-ip.psi.net with Microsoft Mail id <01BCA051.C53D8630@ip210.isdn2-new-york4.ny.pub-ip.psi.net>; Sun, 3 Aug 1997 21:11:12 -0400 Message-ID: <01BCA051.C53D8630@ip210.isdn2-new-york4.ny.pub-ip.psi.net> From: "Steven M. Kerstein" <1bigman@mindspring.com> To: "'kgroup'" , Verna D Dick , Great Bend Tribune , Alan , "Bob522@aol.com" , "CHOYBOK@aol.com" To: Christopher Ray Parrish , "firewalls@greatcircle.com" , "Visionprof@aol.com" , ZWH Subject: RE: [Fwd: [Fwd: Subject: good luck totem]] Date: Sun, 3 Aug 1997 21:11:10 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone who re-sends this crap out is a fucking idiot. Stop the spam = e-mail and let this good luck myth die, already. =20 -----Original Message----- From: kgroup [SMTP:kgroup@snowcrest.net] Sent: Saturday, August 02, 1997 10:54 PM To: Verna D Dick; Great Bend Tribune; Alan; Bob522@aol.com; = CHOYBOK@aol.com; Christopher Ray Parrish; firewalls@greatcircle.com; = Visionprof@aol.com; ZWH Subject: [Fwd: [Fwd: Subject: good luck totem]] << Message: [Fwd: Subject: good luck totem] >> We need all the luck we = can get, so here goes!!! From owner-firewalls-outgoing Sun Aug 3 21:05:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA18894 for firewalls-outgoing; Sun, 3 Aug 1997 18:00:49 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA18652 for ; Sun, 3 Aug 1997 18:00:06 -0700 (PDT) Received: from relay.rv.tis.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id TAA06989; Sat, 2 Aug 1997 19:25:22 -0700 (PDT) Received: by relay.rv.tis.com; id WAA01677; Sat, 2 Aug 1997 22:26:29 -0400 (EDT) Received: from dhcp1.ex.tis.com(192.94.214.121) by relay.rv.tis.com via smap (4.0) id xmab01670; Sat, 2 Aug 97 22:26:03 -0400 Message-Id: <3.0.1.32.19970802222033.007203bc@pop.rv.tis.com> X-Sender: rick@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Sat, 02 Aug 1997 22:20:33 -0400 To: DOMINGO VARELA YAHUITL From: Rick Murphy Subject: Re: Firewalls FAQ Cc: mjr@clark.net, Firewalls@GreatCircle.COM In-Reply-To: References: <199707291203.IAA08801@mail.clark.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:27 AM 8/1/97 +0000, DOMINGO VARELA YAHUITL wrote: >Hello Marcus, hope you helpme please... I new in are of firewalls and >already have install the FWTK TIS, yet how can install the proxy for that >my user can to exit with Netscape, Explorer or Mosaic a Internet... >I have tha modify the netscape in the options to use proxy??? > >that's incredible tha can not make, :((( You must configure the proxy setting in your browser to use the FWTK http proxy. > > and other question, in my box , to try a internet I have that to make >%telnet host where por is 23, yet want make a telnet a my box not >is possible the conect, is refused .. and in my private net, to access >the firewall the make via por 2323 with success :)) To use nonstandard telnet ports, you telnet to the proxy then "connect host 2323". -Rick From owner-firewalls-outgoing Sun Aug 3 21:17:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA20128 for firewalls-outgoing; Sun, 3 Aug 1997 18:04:45 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA19975 for ; Sun, 3 Aug 1997 18:04:17 -0700 (PDT) Received: from proxy3.ba.best.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id VAA09320; Sat, 2 Aug 1997 21:17:38 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy3.ba.best.com (8.8.6/8.8.3) with ESMTP id VAA03544; Sat, 2 Aug 1997 21:19:52 -0700 (PDT) Received: from localhost (pylej@localhost) by shellx.best.com (8.8.6/8.8.3) with SMTP id VAA08626; Sat, 2 Aug 1997 21:19:51 -0700 (PDT) X-Authentication-Warning: shellx.best.com: pylej owned process doing -bs Date: Sat, 2 Aug 1997 21:19:51 -0700 (PDT) From: joe X-Sender: pylej@shellx.best.com To: Cihan Subasi cc: Firewalls , Checkpoint Mailing List Subject: Re: [FW1] Installation of Failover Gateway in FW-1 3.0a... In-Reply-To: <33E37B28.778A@garanti.com.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Cihan, I'll be trying this one soon too... RIP may be your only hope even though it is crude...(via gated with higher/lower preferences)..unless you can do router discovery with AIX boxes... too bad you are not using all Sun workstations...(IMHO) :) Im very interested to see if anyone else has done this or has a good suggestion.. Cheers, JP ================================================================== Joseph J. Pyle - Network Consultant _ E-Mail Solutions @ PYLE.COM "<(o)>" ~ joe@pyle.com - Its in the eye of the beholder ================================================================== On Sat, 2 Aug 1997, Cihan Subasi wrote: > We installed the Failover Gateway to backup our FW-1 3.0a, looks like > everything is fine but I have a problem with the machines on DMZ > interface...All our internet servers (other than firewall machines) are > running on a RS6000 with AIX 4.1.4 but in order to make them see > Failover Gateway when master firewall dies we have to give a second > default gateway to the AIXs, here is the problem looks like AIX do not > take a second default gateway with a higher metric...Anybody can help me > to solve the problem? > > Thanks, > -- > > **************************************************************************** > Cihan Subasi, > Garanti Ticaret AS,Istanbul Turkey > email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 > **************************************************************************** > From owner-firewalls-outgoing Sun Aug 3 21:31:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA18237 for firewalls-outgoing; Sun, 3 Aug 1997 19:52:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA18102 for ; Sun, 3 Aug 1997 19:51:46 -0700 (PDT) From: Dick_Wall@stratus.com Received: from mailhub.stratus.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id MAA01955; Sat, 2 Aug 1997 12:28:51 -0700 (PDT) Received: from na2.stratus.com (na2.stratus.com [134.111.82.93]) by mailhub.stratus.com (8.8.5/8.8.2) with ESMTP id PAA10372 for ; Sat, 2 Aug 1997 15:31:42 -0400 (EDT) Received: from (root@localhost) by na2.stratus.com (8.8.5/8.8.5) with SMTP id PAA29436 for firewalls@greatcircle.com; Sat, 2 Aug 1997 15:25:57 -0400 (EDT) X-OpenMail-Hops: 1 Date: Sat, 2 Aug 97 15:25:21 -0400 Message-Id: Subject: Web Oriented Mail Clients MIME-Version: 1.0 TO: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII; name="Web" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all .. I appologize if I'm asking a question that has been recently discussed .. I've been off the list for a while and have missed recent dialogues. The question is ... I'm getting approached by various groups in my company, that want to use Web oriented email clients, to access our email servers. That is, they want to use the clients from the Internet points, to access servers on the trusted/internal side of our network. They'd like us therefore, to allow http access through the firewall. We don't allow that now, and I don't plan to allow it in the future. Is there a secure means for providing such email access? Dick From owner-firewalls-outgoing Sun Aug 3 21:38:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA24049 for firewalls-outgoing; Sun, 3 Aug 1997 20:10:29 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA23786 for ; Sun, 3 Aug 1997 20:09:40 -0700 (PDT) Received: from warp.techno.org by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA28619; Sat, 2 Aug 1997 06:28:10 -0700 (PDT) Received: (qmail 11200 invoked by uid 500); 2 Aug 1997 13:31:02 -0000 Date: Sat, 2 Aug 1997 15:31:02 +0200 (MET DST) From: Patrik Backstrom To: firewalls@GreatCircle.COM Subject: Firewall-1, Static Address Translation problem [2] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to everyone who answered. The problem was (and still is) the anti-spoofing feature. The manual says you should add the hidden and the official ip addresses to both the internal and external interface on the firewall. This doesn't help, the firewall still drops the packets. But as soon i as remove the antispoofing features (ie. setting both interfaces to accept any ip's), everything works just fine. Since i really would like to use the anti-spoofing features, this is a bit of a problem. Any ideas? /pb --------------------------------------------------------------------- Patrik B=E4ckstr=F6m (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/ 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@warp.techno.org --------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Wed, 30 Jul 1997 12:34:26 +0200 (MET DST) From: Patrik Backstrom To: firewalls@greatcircle.com Subject: Firewall-1, Static Address Translation problem Hi! I have a problem with static address translation. When the client on the inside connects to the outside, everything works fine. But when a machine on the outside tries to connect to the client's valid ip, it just won't go trough the firewall. I have configured the Network Object, Workstation, Address Translation for Automatic Rules, Static and the Valid IP adress. The logs on the Firewall-1 says that the packet is accepted, but it won't reach the internal client. It can't be a routing problem, since it works fine when the client connects to the outside world. The source IP after the translation is also correct. /pb --------------------------------------------------------------------- Patrik B=E4ckstr=F6m (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/ 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@warp.techno.org --------------------------------------------------------------------- From owner-firewalls-outgoing Sun Aug 3 21:47:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA11643 for firewalls-outgoing; Sun, 3 Aug 1997 21:43:09 -0700 (PDT) Received: from scsnoida.stpn.soft.net ([204.143.119.19]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id VAA11576 for ; Sun, 3 Aug 1997 21:42:51 -0700 (PDT) Received: from mail.scsnoida.stpn.soft.net by scsnoida.stpn.soft.net with smtp (Smail3.2 #2) id m0wv65G-000xjgC; Sun, 3 Aug 1997 23:12:54 +0400 (SMT) Received: from Mubashir.scsnoida.stpn.soft.net(really [192.168.90.36]) by mail.scsnoida.stpn.soft.net via rsmtp with esmtp id for ; Mon, 4 Aug 1997 10:07:42 +0400 (SMT) (Smail-3.2 1996-Jul-4 #1 built 1997-Apr-2) Message-ID: <33E55F34.421539D6@scsnoida.stpn.soft.net> Date: Mon, 04 Aug 1997 10:18:52 +0530 From: Mubashir Hasan Kazia Organization: Sriven Computer Solutions X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: kgroup CC: Verna D Dick , Great Bend Tribune , Alan , "Bob522@aol.com" , "CHOYBOK@aol.com" , Christopher Ray Parrish , "firewalls@greatcircle.com" , "Visionprof@aol.com" , ZWH Subject: Re: [Fwd: [Fwd: Subject: good luck totem]] X-Priority: 3 (Normal) References: <33E3F2BA.745651B9@snowcrest.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is ridiculous. A firewall mailing list is used for propagating this kind of superstition and irrelevant stuff. Such vandalism just makes the whole system less useful to everybody. Please get it stopped Thanks Mubashir Hasan S/W Engineer SCS NEPZ India kgroup wrote: > > We need all the luck we can get, so here goes!!! > > --------------------------------------------------------------- > > Subject: [Fwd: Subject: good luck totem] > Date: Tue, 29 Jul 1997 22:54:02 -0700 > From: Risa Roberta Goldberg > To: valdape@ix.netcom.com, kgroup@snowcrest.net, chezi369@aol.com, > ndelaney@adnc.com, ffrey@acad.com, zdrgz@juno.com, katg@juno.com, > rsgit@cts.com, MICKEVICH.MARY@NMNH.SI.EDU, NNewk@aol.com > > Subject: Subject: good luck totem > Date: Tue, 29 Jul 1997 08:09:05 -0700 > From: Marci Bunescu > To: jtaylor@grossmont.k12.ca.us, mfj001@aol.com, "James, Pat" , > gbunescu@signif.com, edbo@thorin.instanet.com, grassweb@ftel.net, > risasplace@sprintmail.com, lglass@sbjrhigh.sbceo.k12.ca.us, > darlacox@aol.com, tasegeal@aol.com > > > > > > >Hawaiian GOOD LUCK TOTEM > > \\\|||/// > > ========= > > - | O O | > > / \ \ @'/ > > # _| |_ > > (#) ( ) > > #\//|* *|\\ > > #\/( * )/ > > # ===== > > # (\|/) > > # || || > > .#.--'| |---.. > > #'---' ----' > > > >This totem has been sent to you for good luck. It has been sent > >around the world nine times so far. You will receive good luck > >within four days of relaying this totem.. > > > >Send copies to people you think need good luck. Don't send money as > >fate has no price. Do not keep this message.. > > > >The totem must leave your hands in 96 hours. Send ten copies and see > >what happens in four days. You will get a surprise. This is true, > >even if you are not superstitious.. > > > >Good luck, but please remember: 10 copies of this message must leave > >your hands in 96 hours... You must not sign on message.... From owner-firewalls-outgoing Sun Aug 3 23:45:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA03023 for firewalls-outgoing; Sun, 3 Aug 1997 23:18:47 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA13654 for ; Sun, 3 Aug 1997 19:25:23 -0700 (PDT) Received: from darkstar.sysinfo.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id OAA03284; Sat, 2 Aug 1997 14:28:35 -0700 (PDT) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id QAA07199 for ; Sat, 2 Aug 1997 16:19:19 -0500 Date: Sat, 2 Aug 1997 16:19:11 -0500 (CDT) From: Ron DuFresne To: firewalls@GreatCircle.COM Subject: Mail bombing made legal... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Return-Path: Received: from rapidconnect.com (root@[205.164.68.225]) by darkstar.sysinfo.com (8.8.2/8.8.2) with ESMTP id PAA07121 for ; Sat, 2 Aug 1997 15:43:07 -0500 Received: by rapidconnect.com (8.8.5/8.8.5) with SMTP id QAA08640; Sat, 2 Aug 1997 16:36:26 -0400 (EDT) Message-Id: <199708022036.QAA08640@rapidconnect.com> -X: at http://www.thehitman.com/ Responsible Bulk emailing is here! From: emailblaster@rapidconnect.com Date: Sun, 03 Aug 1997 04:40:44 PDT Subject: Complete Bulk Email Pkg. only $49.95 *Special Promotion* Complete Bulk Email Package only $49.95 including Unlimited Email Addresses (25 Million and Growing!!!). Our company is running this special promotion to allow you try out our software at an affordable price. [SNIP] SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the origin of all email being sent out. Email Blaster can mask itself to look like it came from the recipients own host. This will help stop users from flaming your email box! [SNIP] To take advantage of this opportunity, please fill out the order form below and fax or mail to: Internet Marketing P.O. Box 276 Bellmawr, NJ 08099 Phone: 609-933-3527 Fax: 609-933-1499 Don't miss out on this opportunity! Special Promotion!!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From owner-firewalls-outgoing Mon Aug 4 01:07:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA13450 for firewalls-outgoing; Mon, 4 Aug 1997 00:31:18 -0700 (PDT) Received: from ren.globecomm.net (ren.globecomm.net [207.51.48.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA13421 for ; Mon, 4 Aug 1997 00:31:09 -0700 (PDT) Received: from wacked (slsyd67p12.ozemail.com.au [203.108.20.92]) by ren.globecomm.net (8.8.5/8.8.0) with SMTP id DAA20339 for ; Mon, 4 Aug 1997 03:31:58 -0400 (EDT) Date: Fri, 30 Mar 1990 20:57:46 +0000 ( ) From: warpy To: Firewalls@GreatCircle.COM Subject: Secure Webserver Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've recently gotten voluntary work doing security/webadmin work on a local christian website. I've been asked to look into implementing a secure online commerce server similar to amazon's setup. My question is what webserver do you recommend i should use (bearing in mind financial resources are limited). The operating system the website is being run on is linux. Also, can anyone tell me what secure servers are available and how much they cost. That or a url would be great. Warpy ----------------------------------------------------------------------- | "Stronger crypto makes the world a safer place..." | | http://suburbia.com.au/~warpy | | Email: warpy@null.net or warpy@suburbia.com.au | | Key fingerprint = CE FD E7 95 6E 35 D7 6D 88 A3 0C 86 43 E2 FB FD | ----------------------------------------------------------------------- From owner-firewalls-outgoing Mon Aug 4 01:31:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA14878 for firewalls-outgoing; Mon, 4 Aug 1997 00:48:56 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA14868 for ; Mon, 4 Aug 1997 00:48:52 -0700 (PDT) Received: from dfw-ix2.ix.netcom.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id AAA24372; Mon, 4 Aug 1997 00:29:13 -0700 (PDT) Received: (from smap@localhost) by dfw-ix2.ix.netcom.com (8.8.4/8.8.4) id CAA27885 for ; Mon, 4 Aug 1997 02:33:13 -0500 (CDT) Received: from irv-ca8-15.ix.netcom.com(204.32.161.79) by dfw-ix2.ix.netcom.com via smap (V1.3) id sma027847; Mon Aug 4 02:32:58 1997 Message-ID: <33E585A6.631C@IX.NETCOM.COM> Date: Mon, 04 Aug 1997 00:32:54 -0700 From: Alan Hoang Reply-To: X-Files@IX.NETCOM.COM X-Mailer: Mozilla 3.0Gold (Win95; U) MIME-Version: 1.0 To: FIREWALLS@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Mon Aug 4 01:44:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA06272 for firewalls-outgoing; Sun, 3 Aug 1997 23:49:49 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id XAA06042 for firewalls@greatcircle.com; Sun, 3 Aug 1997 23:49:10 -0700 (PDT) Received: from relay.rcp.net.pe (relay.rcp.net.pe [200.1.182.249]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA24146 for ; Thu, 31 Jul 1997 07:42:21 -0700 (PDT) Received: from NS2.rcp.net.pe ([161.132.5.10] HELO kuntur.rcp.net.pe ident: TIMEDOUT [port 59485]) by relay.rcp.net.pe with SMTP id <12685-225>; Thu, 31 Jul 1997 09:44:20 -0400 Received: from mem.gob.pe(really [161.132.54.4]) by kuntur.rcp.net.pe via sendmail with smtp id for ; Thu, 31 Jul 1997 09:46:30 -0400 (EDT) (Smail-3.2 1996-Jul-4 #3 built 1996-Sep-16) Received: from MEM/MAIL by mem.gob.pe (Mercury 1.13); Thu, 31 Jul 97 9:40:13 -0500 Received: from MAIL by MEM (Mercury 1.13); Thu, 31 Jul 97 9:40:11 -0500 Received: from Unknown by mem.gob.pe (Mercury 1.13); Thu, 31 Jul 97 9:40:09 -0500 Comments: Authenticated sender is From: "Sergio Untiveros" Organization: Ministerio de Energia y Minas To: firewalls@GreatCircle.COM Date: Thu, 31 Jul 1997 09:46:15 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Need Information on firewalls X-mailer: Pegasus Mail for Win32 (v2.42) Message-ID: <68DA0371B8B@mem.gob.pe> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All; My Friends, we need a Firewall Products on the market (Hardware or Software). What is FW1? Best Regards Sergio Ing. Sergio Untiveros Adm. de RED - MEM Tel. 9946059 suntiver@mem.gob.pe http://www.mem.gob.pe From owner-firewalls-outgoing Mon Aug 4 01:47:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA06338 for firewalls-outgoing; Sun, 3 Aug 1997 23:50:29 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id XAA06329 for firewalls@greatcircle.com; Sun, 3 Aug 1997 23:50:26 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA05600 for ; Thu, 31 Jul 1997 11:39:53 -0700 (PDT) Received: from default (ppp124.du.jetlink.net [206.72.64.124]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id LAA24438; Thu, 31 Jul 1997 11:31:04 -0700 (PDT) Message-ID: <33E0DDEB.6F9E@pacificnet.net> Date: Thu, 31 Jul 1997 11:48:11 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net Organization: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: chester CC: firewalls@GreatCircle.COM Subject: Re: Merits References: <2.2.32.19970731113207.00945524@138.79.130.10> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can anybody point me in the direction of some sound documentation on the > Advantages and dis-advantages of some of some of the more well known > packaged firewall products compared to Applications such as Socks 4/5. I'm not going to claim that this is the perfect list for you, but a lot of people have asked for this document since I first posted it. I guess they're putting it up at freebsd.org. In the meantime, however, this will get you started. Eventually, by the way, this (and about two and a half times again) of a bibiliography will go up at http://www.gnss.com. My partner and I are going to build a huge server there. In about a month or so. (It will be searchable, blah, blah. Oh yes...and free, of course.) Unfortunately, in this batch, I don't really have anything that directly compares all firewalls to SOCKS technology specifically, but this will get you on that road. Here's the list, in descending order. All have some form of either comparison, a summary of features, wish lists, etc.(I haven't updated the links for some of M.J. Ranum's stuff, so, Mr. Ranum, if you're out there, you may wish to inform him - and me - of those new links.) The list follows: Rating of application layer proxies. Michael Richardson. Wed Nov 13 13:54:09 EST 1996. http://www.sandelman.ottawa.on.ca/SSW/proxyrating/proxyrating.html Comparison: Firewalls. June 17, 1996. LanTimes. Comprehensive comparison of a wide variety of firewall products. http://www.lantimes.com/lantimes/usetech/compare/pcfirewl.html PCWEEK Intranet and Internet Firewall Strategies. Ed Amoroso & Ron Sharp, Ziff Davies Firewall Performance Measurement Techniques: A Scientific Approach. Marcus Ranum. February 4, 1996 (Last Known Date of Mod.) http://www.v-one.com/pubs/perf/approaches.htm Internet Firewalls and Network Security. Chris Hare, Karanjit Siyan. 2nd Edition. New Riders Pub. August 1,1996. ISBN: 1562056328 Internet Firewalls. Scott Fuller, Kevin Pagan. Ventana Communications Group Inc. January 1997. ISBN: 1566045061 Building Internet Firewalls. D. Brent Chapman, Elizabeth D. Zwicky. O'Reilly & Associates (ORA). September 1,1995. ISBN: 1565921240 Firewalls and Internet Security : Repelling the Wily Hacker. Addison-Wesley Professional Computing. William R. Cheswick, Steven M. Bellovin. June 1,1994. ISBN: 0201633574 Actually Useful Internet Security Techniques. Larry J. Hughes, Jr. New Riders Publishing, ISBN 1-56205-508-9 Internet Security Resource Library : Internet Firewalls and Network Security, Internet Security Techniques, Implementing Internet Security. New Riders. December 1995. ISBN: 1562055062 Firewalls FAQ. Marcus J. Ranum. http://www.cis.ohio-state.edu/hypertext/faq/usenet/firewalls-faq/faq.html NCSA Firewall Policy Guide. Compiled by Stephen Cobb, Director of Special Projects. National Computer Security Association. http://www.ncsa.com/fwpg_p1.html There Be Dragons. Steven M. Bellovin. "To appear in Proceedings of the Third Usenix UNIX Security Symposium, Baltimore, September 1992." AT&T Bell Laboratories, Murray Hill, NJ. August 15, 1992 Keeping your site comfortably secure: An Introduction to Internet Firewalls. John P. Wack and Lisa J. Carnahan. National Institute ofStandards and Technology. John Wack Thursday, Feb 9 18:17:09 EST 1995. http://csrc.ncsl.nist.gov/nistpubs/800-10/ SQL*Net and Firewalls. David Sidwell & Oracle Corporation. http://www.zeuros.co.uk/firewall/library/oracle-and-fw.pdf Covert Channels in the TCP/IP Protocol Suite. Craig Rowland. Rotherwick & Psionics Software Systems Inc. http://www.zeuros.co.uk/firewall/papers.htm If You Can Reach Them, They Can Reach You. A PC Week Online Special Report, June 19, 1995. William Dutcher. http://www.pcweek.com/sr/0619/tfire.html Packet Filtering for Firewall Systems. February 1995. CERT (and Carnegie Mellon University.) ftp://info.cert.org/pub/tech_tips/packet_filtering Network Firewalls. Steven M. Bellovin and William R. Cheswick. ieeecm, 32(9), pp. 50-57, September 1994. Session-Layer Encryption. Matt Blaze and Steve Bellovin. Proceedings of the USENIX Security Workshop, June 1995. A Network Perimeter With Secure External Access. An extraordinary paper that details the implementation of a firewall purportedly at the White House. (Yes, the one at 1600 Pennsylvania Avenue.) Frederick M. Avolio; Marcus J. Ranum. (Trusted Information Systems, Incorporated). Glenwood, MD. January 25, 1994. http://www.alw.nih.gov/Security/FIRST/papers/firewall/isoc94.ps Packets Found on an Internet. Interesting Analysis of packets appearing at the Application Gateway of AT&T. Steven M. Bellovin. Lambda. August 23, 1993. ftp://ftp.research.att.com/dist/smb/packets.ps Using Screend to implement TCP/IP Security Policies. Jeff Mogul. Rotherwick and Digital. http://www.zeuros.co.uk/firewall/library/screend.ps Firewall Application Notes. Good document that starts out by describing how to build a firewall. It also addresses application proxies, Sendmail in relation to firewalls and the characteristics of a bastion host. Livingston Enterprises, Inc. http://www.telstra.com.au/pub/docs/security/firewall-1.1.ps.Z X Through the Firewall, and Other Application Relays. Treese/Wolman Digital Equipment Corp. Cambridge Research Lab. (October, 1993?). ftp://crl.dec.com/pub/DEC/CRL/tech-reports/93.10.ps.Z Intrusion Protection for Networks 171. BYTE Magazine. April, 1995. Benchmarking Methodology for Network Interconnect Devices. RFC 1944. S. Bradner & J. McQuaid. ftp://ds.internic.net/rfc/rfc1944.txt WARDING OFF THE CYBERSPACE INVADERS. Business Week. 03/13/95. Amy Cortese in New York, with bureau reports Vulnerability in Cisco Routers used as Firewalls. Computer Incident Advisory Capability Advisory: Number D-15. May 12, 1993 1500 PDT. http://ciac.llnl.gov/ciac/bulletins/d-15.shtml WAN-Hacking with AutoHack - Auditing Security behind the Firewall. Alec D.E. Muffett. (network Security Group, Sun Microsystems, United Kingdom.) Written by the author of Crack, the famous password cracking program. Extraordinary document that deals with methods of auditing security from behind a firewall. (And auditing of a network so large that it contained tens of thousands of hosts!) June 6, 1995. http://www.telstra.com.au/pub/docs/security/muffett-autohack.ps Windows NT Firewalls Are Born. February 4, 1997. PC Magazine. http://www.pcmagazine.com/features/firewall/_open.htm Group of 15 Firewalls Hold Up Under Security Scrutiny. Stephen Lawson June 1996. InfoWorld. http://www.infoworld.com/cgi-bin/displayStory.pl?96067.firewall.htm IP v6 Release and Firewalls. Uwe Ellermann. 14th Worldwide Congress on Computer and Communications Security. Protection, pp. 341-354, June 1996. The SunScreen Product Line Overview. (Sun Microsystems.) http://www.sun.com/security/overview.html Product Overview for IBM Internet Connection Secured Network Gateway for AIX, Version 2.2. (IBM Firewall Information.) http://www.ics.raleigh.ibm.com/firewall/overview.htm The Eagle Firewall Family. (Raptor Firewall Information.) http://www.raptor.com/products/brochure/40broch.html Secure Computing Firewall™ for NT. Overview. (Secure Computing). http://www.sctc.com/NT/HTML/overview.html Check Point FireWall-1 Introduction. (Checkpoint Technologies Firewall Information.) http://www.checkpoint.com/products/firewall/intro.html Cisco PIX Firewall. (Cisco Systems Firewall Information.) http://www.cisco.com/univercd/data/doc/cintrnet/prod_cat/pcpix.htm Protecting the Fortress From Within and Without. R. Scott Raynovich. April 1996. LAN Times. http://www.wcmh.com/lantimes/96apr/604c051a.html Internet Firewalls: An Introduction. Firewall White Paper. NMI Internet Expert Services. PO Box 8258. Portland, ME 04104-8258. http://www.netmaine.com/netmaine/whitepaper.html Features of the Centri(TM) Firewall. (Centri Firewall Information.) http://www.gi.net/security/centrifirewall/features.html Five Reasons Why an Application Gateway is the Most Secure Firewall. (Global Internet.) http://www.gi.net/security/centrifirewall/fivereasons.html An Introduction to Intrusion Detection. Aurobindo Sundaram. Last Apparent Date of Modification: October 26, 1996. http://www.techmanager.com/nov96/intrus.html Intrusion Detection for Network Infrastructures. S. Cheung, K.N. Levitt, C. Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 1995. http://seclab.cs.ucdavis.edu/papers/clk95.ps Network Intrusion Detection. Biswanath Mukherjee and L. Todd Heberlein and Karl N. Levitt. IEEE Network, May 1994. Fraud and Intrusion Detection in Financial Information Systems. S. Stolfo and P. Chan and D. Wei and W. Lee and A. Prodromidis. 4th ACM Computer and Communications Security Conference, 1997. http://www.cs.columbia.edu/~sal/hpapers/acmpaper.ps.gz A Pattern-Oriented Intrusion-Detection Model and Its Applications. Shiuhpyng W. Shieh and Virgil D. Gligor. Research in Security and Privacy, IEEECSP, May 1991. Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES). Debra Anderson, Teresa F. Lunt, Harold Javitz, Ann Tamaru, and Alfonso Valdes. SRI-CSL-95-06, May 1995. (Available in hard copy only.) Abstract: http://www.csl.sri.com/tr-abstracts.html#csl9506 Intrusion Detection Systems (IDS): A Survey of Existing Systems and A Proposed Distributed IDS Architecture. S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon, and S.E. Smaha. Technical Report CSE-91-7, Division of Computer Science, University of California, Davis, February 1991. http://seclab.cs.ucdavis.edu/papers/bd96.ps A Methodology for Testing Intrusion Detection Systems. N. F. Puketza, K. Zhang, M. Chung, B. Mukherjee, R. A. Olsson. IEEE Transactions on Software Engineering, Vol.22, No.10, October 1996. http://seclab.cs.ucdavis.edu/papers/tse96.ps GrIDS -- A Graph-Based Intrusion Detection System for Large Networks. S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle. The 19th National Information Systems Security Conference. http://seclab.cs.ucdavis.edu/papers/nissc96.ps NetKuang--A Multi-Host Configuration Vulnerability Checker. D. Zerkle, K. Levitt , Proc. of the 6th USENIX Security Symposium. San Jose, California. 1996. http://seclab.cs.ucdavis.edu/papers/zl96.ps Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions. M. Chung, N. Puketza, R.A. Olsson, B. Mukherjee. Proc. of the 1995 National Information Systems Security Conference. Baltimore, Maryland. 1995. http://seclab.cs.ucdavis.edu/papers/cpo95.ps Holding Intruders Accountable on the Internet. S. Staniford-Chen, and L.T. Heberlein. Proc. of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, 8-10 May 1995. http://seclab.cs.ucdavis.edu/~stanifor/seclab_only/notes/ieee_conf_94/revision/submitted.ps Machine Learning and Intrusion Detection: Current and Future Directions. J. Frank. Proc. of the 17th National Computer Security Conference, October 1994. Another Intrusion Detection Bibliography. http://doe-is.llnl.gov/nitb/refs/bibs/bib1.html Intrusion Detection Bibliography. http://www.cs.purdue.edu/coast/intrusion-detection/ids_bib.html Intrusion Detection Systems. This list concentrates primarily on discussions about methods of intrusion or intrusion detection. Target: majordomo@uow.edu.au Command: subscribe ids (In BODY of message) The WWW Security List. Members of this list discuss all techniques to maintain (or subvert) WWW security. (Things involving secure methods of HTML, HTTP and CGI.) Target: www-security-request@nsmx.rutgers.edu Command: SUBSCRIBE www-security your_email_address (In BODY of message) The Sneakers List. This list discusses methods of circumventing firewall and general security. This list is reserved for lawful tests and techniques. Target: majordomo@CS.YALE.EDU Command: SUBSCRIBE Sneakers (In BODY of message) The Secure HTTP List. This list is devoted to the discussion of S-HTTP and techniques to facilitate this new form of security for WWW transactions. Target: shttp-talk-request@OpenMarket.com Command: SUBSCRIBE (In BODY of message) The NT Security List. This list is devoted to discussing all techniques of security related to the Microsoft Windows NT operating system. (Individuals also discuss security aspects of other Microsoft operating systems as well.) Target: request-ntsecurity@iss.net Command: subscribe ntsecurity (In BODY of message) The Bugtraq List. This list is for posting or discussing bugs in various operating systems, those UNIX is the most often discussed. The information here can be quite explicit. If you are looking to learn the fine aspects (and cutting edge news) in UNIX security, this list is for you. Target: LISTSERV@NETSPACE.ORG Command: SUBSCRIBE BUGTRAQ(In BODY of message) Password Security: A Case History. Robert Morris and Ken Thompson. http://www.sevenlocks.com/papers/password/pwstudy.ps Site Security Handbook (update and Idraft version; June 1996, CMU. Draft-ietf-ssh-handbook-03.txt.) Barbara Fraser. http://www.internic.net/internet-drafts/draft-ietf-ssh-handbook-03.txt. Improving the Security of Your Site by Breaking Into It. Dan Farmer & Wietse Venema. (1995) http://www.craftwork.com/papers/security.html. Making Your Setup More Secure. NCSA Tutorial Pages. http://hoohoo.ncsa.uiuc.edu/docs/tutorials/security.html. The Secure HyperText Transfer Protocol. E. Rescorla, A. Schiffman (EIT) July 1995. http://www.eit.com/creations/s-http/draft-ietf-wts-shttp-00.txt. The SSL Protocol. (IDraft) Alan O. Freier & Philip Karlton (Netscape Communications) with Paul C. Kocher. http://home.netscape.com/eng/ssl3/ssl-toc.html. Writing, Supporting, and Evaluating TripWire. A Publicly Available Security Tool; Kim/Spafford. http://www.raptor.com/lib/9419.ps The Design and Implementation of TripWire. A Filesystem Integrity Checker; Kim/Spafford. Location: http://www.raptor.com/lib/9371.ps X Window System Security. Ben Gross & Baba Buehler. Beckman Institute System Services. http://www.beckman.uiuc.edu/groups/biss/VirtualLibrary/xsecurity.html. Last Apparent Date of Modification: January 11, 1996. On the (in)Security of the Windowing System X. Marc VanHeyningen of Indiana University. http://www.cs.indiana.edu/X/security/intro.html. September 14, 1994. Security in the X11 Environment. Pangolin. University of Bristol, UK. January, 1995. http://sw.cse.bris.ac.uk/public/Xsecurity.html. Security in Open Systems. (NIST) John Barkley, Editor. (With Lisa Carnahan, Richard Kuhn, Robert Bagwill, Anastase Nakassis, Michael Ransom, John Wack, Karen Olsen, Paul Markovitz and Shu-Jen Chang.) US Department of Commerce. Section: The X Window System: Bagwill, Robert. http://csrc.ncsl.nist.gov/nistpubs/800-7/node62.html#SECTION06200000000000000000. Security Enhancements of the DEC MLS+ System; The Trusted X Window System. November, 1995. http://ftp.digital.com/pub/Digital/info/SPD/46-21-XX.txt Evolution of a Trusted B3 Window System Prototype. J. Epstein, J. Mc Hugh, R.Psacle, C. Martin, D. Rothnie, H. Orman, A. Marmor-Squires, M.Branstad, and B. Danner, , In Proceeding of the 1992 IEEE Symposium on Security and Privacy, 1992. A Prototype B3 Trusted X Window System. J. Epstein, J. Mc Hugh, R. Pascale, H. Orman, G. Benson, C.Martin, A. Marmor-Squires, B.Danner, and M. Branstad, The Proceedings of the 7th Computer Security Applications Conference, December, 1991. Improving X Windows Security. UNIX World, (Volume IX, Number 12) December 1992. Linda Mui. Security and the X Window System. UNIX World, 9(1), p. 103. January 1992. Dennis Sheldrick. The X Window System. Scheifler, Robert W. & Gettys, Jim. ACM Transactions on Graphics. Vol.5, No. 2 (April 1986), pp. 79-109. http://www.acm.org/pubs/toc/Abstracts/0730-0301/24053.html. X Window Terminals. Digital Technical Journal of Digital Equipment Corporation, 3(4), pp. 26-36, Fall 1991. Björn Engberg and Thomas Porcher. ftp://ftp.digital.com/pub/Digital/info/DTJ/v3n4/X_Window_Terminals_01jul1992DTJ402P8.ps. Information Security: Computer Attacks at Department of Defense Pose Increasing Risks; General Accounting Office. Report on Failed Security at US Defense Sites. http://www.epic.org/security/GAO_OMB_security.html Defense Directive 5200.28. "Security requirements for Automated Information Systems." Document describing some antiquated government standards for security. http://140.229.1.16:9000/htdocs/teinfo/directives/soft/5200.28.html The Evaluated Products List (EPL). A list of products that have been evaluated for security ratings, based on DOD guidelines. http://www.radium.ncsc.mil/tpep/epl/index.html INTERNIC, or the Network Information Center. INTERNIC provides comprehensive databases on networking information. These databases contain the larger portion of collected knowledge on the design and scope of the Internet. (Of main importance here is the database of RFC documents.) http://ds0.internic.net/ds/dspg1intdoc.html The Rand Corporation. Security resources of various sorts. Also: very engrossing "early" documents on the Internet’s design. http://www.rand.org/publications/electronic/ Connected: An Internet Encyclopedia. (Incredible on-line resource for RFC documents and related information, apparently painstaking translated into HTML.) http://www.freesoft.org/Connected/RFC/826/ The Computer Emergency Response Team. (CERT) An organization that assists sites in responding to network security violations, break-ins and so forth. Great source of information, particularly for vulnerabilities. http://www.cert.org. Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections. D. Farmer. Fascinating independent stud conducted by one of the authors of the now famous SATAN program. The survey involved approximately 2200 sites. The results are disturbing. http://www.trouble.org/survey/ CIAC. (U.S. Department of Energy's Computer Incident Advisory Capability.) The CIAC provides computer security services to employees and contractors of the United States Department of Energy, but the site is open to the public as well. There are many tools and documents at this location. http://ciac.llnl.gov/ The National Computer Security Association. This site contains a great deal of valuable security information, including reports, papers, advisories and analyses of various computer security products and techniques. http://www.ncsa.com/ Short Courses in Information Systems Security at George Mason University. This site contains information about security courses. Moreover, there are links a comprehensive bibliography of various security related documents. http://www.isse.gmu.edu:80/~gmuisi/ NCSA RECON. Spooks on the Net. The National Computer Security Association’s "special" division. They offer a service where one can search through thousands of downloaded messages passed amongst hackers and crackers on BBS boards and the Internet. An incredible security resource, but a commercial one. http://www.isrecon.ncsa.com/public/faq/isrfaq.htm Lucent Technologies. Courses on security from the folks who really know security. http://www.attsa.com/ Massachusetts Institute of Technology distribution site for United States residents for Pretty Good Privacy (PGP). PGP provides some of the most powerful, military grade encryption currently available. http://web.mit.edu/network/pgp.html The Anonymous Remailer FAQ. A document that covers all aspects of anonymous remailing techniques and tools. http://www.well.com/user/abacard/remail.html The Anonymous Remailer List. A comprehensive but often changing (dynamic) list of anonymous remailers http://www.cs.berkeley.edu/~raph/remailer-list.html Microsoft ActiveX Security. This page addresses the security features of ActiveX. http://www.microsoft.com/intdev/signcode/ Purdue University COAST Archive. One of the more comprehensive security sites, containing many tools and documents of deep interest within the security community. http://www.cs.purdue.edu//coast/archive/ Raptor Systems. Makers of one of the better firewall products on the Net have established a fine security library. http://www.raptor.com/library/library.html The Risks Forum. A moderated digest of security and other risks in computing. A great resource that is also searchable. You can tap the better security minds on the Net. http://catless.ncl.ac.uk/Risks FIRST. (Forum of Incident Response and Security Teams). A conglomeration of many organizations undertaking security measures on the Internet. A powerful organization and good starting place for sources. http://www.first.org/ The CIAC Virus Database. The ultimate virus database on the Internet. An excellent resource to learn about various viruses that can effect your platform. http://ciac.llnl.gov/ciac/CIACVirusDatabase.html Information Warfare and Information Security on the Web. A comprehensive lost of links and other resources concerning Information Warfare over the Internet. http://www.fas.org/irp/wwwinfo.html Criminal Justice Studies of the Law Faculty of University of Leeds, The United Kingdom. Site with interesting information on cryptography and civil liberties. http://www.leeds.ac.uk/law/pgs/yaman/cryptog.htm. Federal Information Processing Standards Publication documents. (Government guidelines.) National Institute of Standards and Technology reports on DES encryption and related technologies. http://csrc.nist.gov/fips/fips46-2.txt Wordlists available at NCSA and elsewhere. (For use in testing the strength of, or "cracking" UNIX passwords.) http://sdg.ncsa.uiuc.edu/~mag/Misc/Wordlists.html. Department of Defense Password Management Guideline. (Treatment of password security in classified environments.) http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt Dr. Solomon’s. A site filled with virus information. Anyone concerned with viruses (or anyone who just wants to know more about virus technology,) should visit Dr. Solomon’s site. http://www.drsolomon.com/vircen/allabout.html The Seven Locks server. An eclectic collection of security resources, including a number of papers that cannot be found elsewhere! http://www.sevenlocks.com/CIACA-10.htm.[m1] S/Key informational page. Provides information on S/Key and use of one time passwords in authentication. http://medg.lcs.mit.edu/people/wwinston/skey-overview.html. A page devoted to ATP, the "Anti-Tampering Program". (In some ways, similar to Tripwire or Hobgoblin.) http://www.cryptonet.it/docs/atp.html Bugtraq Archives. An archive of the popular mailing list, Bugtraq. This is significant because Bugtraq is one of the most reliable source for up-to-date reports on new found vulnerabilities in UNIX (and at times, other operating systems.) http://geek-girl.com/bugtraq/ Wang Federal. This company produces very high quality security operating systems and other security solutions. They are the leader in TEMPEST technology. http://www.wangfed.com The Center for Secure Information Systems. This site, affiliated with the Center at George Mason University, has some truly incredible papers. There is much research going on here; research of a cutting edge nature. The link below send you directly to the publications page, but you really should explore the entire site. http://www.isse.gmu.edu/~csis/publication.html SRI International. Some very highbrow technical information. The technical reports here are of extreme value. However, you must have at least a fleeting background in security to even grasp some of the concepts. Nevertheless, a great resource. http://www.sri.com/ The Security Reference Index. This site, maintained by the folks at telstra.com, is a comprehensive pointer page to many security resources. http://www.telstra.com.au/info/security.html Wietse Venema’s Tools Page. This page, Maintained by Wietse Venema (co-author of SATAN and author of TCP_Wrapper and many, other security tools), filled papers, tools and general information. It is a must-visit for any UNIX system administrator. ftp://ftp.win.tue.nl/pub/security/index.html United States. Congress. House. Committee on Science, Space, and Technology. Subcommittee on Science. Internet security : Hearing Before the Subcommittee on Science of the Committee on Science, Space, and Technology. U.S. House of Representatives, One Hundred Third Congress, second session, March 22, 1994. Washington. U.S. G.P.O. For sale by the U.S. G.P.O., Supt. of Docs., Congressional Sales Office, 1994. UNIX Unleashed. SAMS Publishing, 1994. ISBN: 0-672-30402-3. Internet QuickKIT. Brad Miser. HAYDEN. ISBN: 1568302401 Bots and Other Internet Beasties. SAMS.NET. Joseph Williams. ISBN: 1575210169 (1996) The Internet Unleashed 1996. SAMS.NET. SAMS Development Group. ISBN: 157521041X. (1995) Microsoft Internet Information Server 2 Unleashed. Arthur Knowles. SAMS.NET. ISBN: 1575211092. (1996) Designing and Implementing Microsoft Internet Information Server. SAMS.NET. ISBN: 1575211688. (1996) Internet Research Companion. Que Education and Training. Geoffrey McKim. ISBN: 1575760509. (1996) An Interactive Guide to the Internet. Que Education and Training. J. Michael BLocher, Vito Amato & Jon Storslee. ISBN: 1575763540. (1996) Internet Security for Business. New York. Wiley, 1996. xi, 452 p. : ill. ; 24 cm. LC CALL NUMBER: HD30.38 .I57 1996 Managing Windows NT Server 4. NRP. Howard F. Hilliker. ISBN: 1562055763. (1996) Internet 1997 Unleashed, Second Edition. SAMS.NET. Jill Ellsworth, Billy Barron, et al. ISBN: 1575211858. (1996) Windows NT Server 4 Security, Troubleshooting, and Optimization. NRP. ISBN: 1562056018. (1996) Apache Server Survival Guide. SAMS.NET. Manuel Alberto Ricart. ISBN: 1575211750. (1996) Internet Firewalls and Network Security, Second Edition. NRP. Chris Hare and Karanjit S. Siyan, Ph.D. ISBN: 1562056328. (1996) PC Week Intranet and Internet Firewalls Strategies. ZDPRESS. Ed Amoroso & Ronald Sharp. ISBN: 1562764225. (1996) Internet Security Professional Reference. NRP. Chris Hare, et al. ISBN: 1562055577. (1996) NetWare Security. NRP. William Steen. ISBN: 1562055453. (1996) Internet Security Resource Library. NRP. Box-set. ISBN: 1562055062. (1996) LINUX System Administrator's Survival Guide. SAMS. Timothy Parker, Ph. D. ISBN: 0672308509. (1996) Internet Commerce. NRP. Andrew Dahl and Leslie Lesnick. ISBN: 1562054961. (1995) Windows NT Server 4 Security, Troubleshooting, and Optimization. NRP. ISBN: 1562056018. (1996) E-Mail Security: How To Keep Your Electronic Messages Private. Bruce Schneier. John Wiley & Sons Inc. 605 Third Ave. New York, NY 10158. ISBN: 0-471-05318-X Protection and Security on the Information Superhighway. Frederick B. Cohen. John Wiley & Sons Inc. 605 Third Ave. New York, NY 10158. ISBN: 0-471-11389-1 From owner-firewalls-outgoing Mon Aug 4 02:35:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA03116 for firewalls-outgoing; Sun, 3 Aug 1997 23:19:54 -0700 (PDT) Received: from dfw-ix13.ix.netcom.com (dfw-ix13.ix.netcom.com [206.214.98.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA15531 for ; Sun, 3 Aug 1997 19:30:28 -0700 (PDT) Received: (from smap@localhost) by dfw-ix13.ix.netcom.com (8.8.4/8.8.4) id VAA08549; Sun, 3 Aug 1997 21:28:40 -0500 (CDT) Received: from tal-fl2-17.ix.netcom.com(205.184.150.81) by dfw-ix13.ix.netcom.com via smap (V1.3) id sma008535; Sun Aug 3 21:28:29 1997 Message-ID: <33E53EA1.568B70AF@cyberservices.com> Date: Sun, 03 Aug 1997 22:29:54 -0400 From: Jim Geuin X-Mailer: Mozilla 4.01 [en] (Win95; U) MIME-Version: 1.0 To: kgroup CC: Verna D Dick , Great Bend Tribune , Alan , "Bob522@aol.com" , "CHOYBOK@aol.com" , Christopher Ray Parrish , "firewalls@greatcircle.com" , "Visionprof@aol.com" , ZWH Subject: Re: [Fwd: [Fwd: Subject: good luck totem]] X-Priority: 3 (Normal) References: <33E3F2BA.745651B9@snowcrest.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk kgroup wrote: > We need all the luck we can get, so here goes!!! > > > ------------------------------------------------------------------------------------------------------------- > > Subject: [Fwd: Subject: good luck totem] > Date: Tue, 29 Jul 1997 22:54:02 -0700 > From: Risa Roberta Goldberg > To: valdape@ix.netcom.com, kgroup@snowcrest.net, chezi369@aol.com, > ndelaney@adnc.com, ffrey@acad.com, zdrgz@juno.com, katg@juno.com, > > rsgit@cts.com, MICKEVICH.MARY@NMNH.SI.EDU, NNewk@aol.com > > Subject: Subject: good luck totem > Date: Tue, 29 Jul 1997 08:09:05 -0700 > From: Marci Bunescu > To: jtaylor@grossmont.k12.ca.us, mfj001@aol.com, "James, Pat" > , > gbunescu@signif.com, edbo@thorin.instanet.com, grassweb@ftel.net, > > risasplace@sprintmail.com, lglass@sbjrhigh.sbceo.k12.ca.us, > darlacox@aol.com, tasegeal@aol.com > > > > > > >Hawaiian GOOD LUCK TOTEM > > \\\|||/// > > ========= > > - | O O | > > / \ \ @'/ > > # _| |_ > > (#) ( ) > > #\//|* *|\\ > > #\/( * )/ > > # ===== > > # (\|/) > > # || || > > .#.--'| |---.. > > #'---' ----' > > > >This totem has been sent to you for good luck. It has been sent > >around the world nine times so far. You will receive good luck > >within four days of relaying this totem.. > > > >Send copies to people you think need good luck. Don't send money as > >fate has no price. Do not keep this message.. > > > >The totem must leave your hands in 96 hours. Send ten copies and see > >what happens in four days. You will get a surprise. This is true, > >even if you are not superstitious.. > > > >Good luck, but please remember: 10 copies of this message must leave > >your hands in 96 hours... You must not sign on message.... -- Organizations that do not have someone with a clear technological vision and the power to encourage cohesiveness cannot accomplish much from a security perspective. From owner-firewalls-outgoing Mon Aug 4 02:57:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA02948 for firewalls-outgoing; Sun, 3 Aug 1997 23:17:44 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA20862 for ; Sun, 3 Aug 1997 20:00:47 -0700 (PDT) Received: from tounes.ati.tn by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id JAA00569; Sat, 2 Aug 1997 09:48:23 -0700 (PDT) Received: from abla.cynex.com.tn (abla.cynex.com.tn [193.95.99.132]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id RAA07647; Sat, 2 Aug 1997 17:50:44 GMT Message-ID: <33E36594.26AE@cynex.com> Date: Sat, 02 Aug 1997 17:51:32 +0100 From: Izhar Mahjoub Organization: Cynex Software X-Mailer: Mozilla 3.01 (X11; I; HP-UX A.09.07 9000/715) MIME-Version: 1.0 To: Firewalls , Checkpoint Mailing List Subject: firewall -1 DMZ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk while installing my firewall on NT4.0 i setted up a DMZ with a fake address range i've been give by the person who sold it to me. The firewall works fine but once a day i have a message saying that the system found a duplicated address on my LAN and he disable the Firewall and the Gateway on the System. Can any one give me a clue on that ? Are the DMZ addresses defined somewhere ? Thanks, -- Izhar Mahjoub Cynex Software Inc, Manager Installation & Telecommunication Support Center Voice :216 1 238 011 Fax :216 1 238 808 E-Mail :izhar@cynex.com From owner-firewalls-outgoing Mon Aug 4 04:17:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA13206 for firewalls-outgoing; Mon, 4 Aug 1997 03:36:16 -0700 (PDT) Received: from dante.iol.it (dante.iol.it [194.20.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA13173 for ; Mon, 4 Aug 1997 03:35:59 -0700 (PDT) Received: from interbusiness.it ([195.103.225.5]) by dante.iol.it (8.8.3/8.6.12) with SMTP id MAA12867; Mon, 4 Aug 1997 12:36:33 +0200 Message-Id: <3.0.1.32.19970804123642.006afb78@popmail.iol.it> X-Sender: accosto@popmail.iol.it X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 04 Aug 1997 12:36:42 +0200 To: Bertrum Carroll , "Firewalls@GreatCircle.COM" , "fw-1-mailinglist@us.checkpoint.com" From: Alberto Accossato Subject: Re: [FW1] PPTP & FW-1 In-Reply-To: <33E212A8.DF93D35F@90.deere.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11.45 01/08/97 -0500, Bertrum Carroll wrote: >I'm attempting to setup a FW-1 filter to support PPTP. >I'm using FW-1 3.0a on Solaris. > >PPTP is not defined, how do I seutp a fitler just for PPTP not all IP? > >Thanks In Advance >Bert Carroll > > I'm sorry but I don't know exactly why this message arrived to me. Actualy I'm not able to answer your question. Good bye! From owner-firewalls-outgoing Mon Aug 4 04:31:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA13523 for firewalls-outgoing; Mon, 4 Aug 1997 03:40:31 -0700 (PDT) Received: from dante.iol.it (dante.iol.it [194.20.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA13480 for ; Mon, 4 Aug 1997 03:39:52 -0700 (PDT) Received: from interbusiness.it ([195.103.225.5]) by dante.iol.it (8.8.3/8.6.12) with SMTP id MAA13273; Mon, 4 Aug 1997 12:40:23 +0200 Message-Id: <3.0.1.32.19970804124034.0069fe38@popmail.iol.it> X-Sender: accosto@popmail.iol.it X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 04 Aug 1997 12:40:34 +0200 To: Izhar Mahjoub , Firewalls , Checkpoint Mailing List From: Alberto Accossato Subject: Re: [FW1] firewall -1 DMZ In-Reply-To: <33E36594.26AE@cynex.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 17.51 02/08/97 +0100, Izhar Mahjoub wrote: >while installing my firewall on NT4.0 i setted up a DMZ with a fake >address range i've been give by the person who sold it to me. >The firewall works fine but once a day i have a message saying that the >system found a duplicated address on my LAN and he disable the Firewall >and the Gateway on the System. >Can any one give me a clue on that ? >Are the DMZ addresses defined somewhere ? >Thanks, >-- >Izhar Mahjoub >Cynex Software Inc, >Manager >Installation & Telecommunication Support Center > >Voice :216 1 238 011 >Fax :216 1 238 808 >E-Mail :izhar@cynex.com > > I'm sorry but I don't know exactly why this message arrived to me. Actualy I'm not able to answer your question. Good bye! From owner-firewalls-outgoing Mon Aug 4 04:37:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA13567 for firewalls-outgoing; Mon, 4 Aug 1997 03:41:02 -0700 (PDT) Received: from dante.iol.it (dante.iol.it [194.20.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA13524 for ; Mon, 4 Aug 1997 03:40:35 -0700 (PDT) Received: from interbusiness.it ([195.103.225.5]) by dante.iol.it (8.8.3/8.6.12) with SMTP id MAA13333; Mon, 4 Aug 1997 12:40:49 +0200 Message-Id: <3.0.1.32.19970804124100.006ca04c@popmail.iol.it> X-Sender: accosto@popmail.iol.it X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 04 Aug 1997 12:41:00 +0200 To: csubasi@garanti.com.tr, Firewalls , Checkpoint Mailing List From: Alberto Accossato Subject: Re: [FW1] Installation of Failover Gateway in FW-1 3.0a... In-Reply-To: <33E37B28.778A@garanti.com.tr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11.23 02/08/97 -0700, Cihan Subasi wrote: >We installed the Failover Gateway to backup our FW-1 3.0a, looks like >everything is fine but I have a problem with the machines on DMZ >interface...All our internet servers (other than firewall machines) are >running on a RS6000 with AIX 4.1.4 but in order to make them see >Failover Gateway when master firewall dies we have to give a second >default gateway to the AIXs, here is the problem looks like AIX do not >take a second default gateway with a higher metric...Anybody can help me >to solve the problem? > > Thanks, >-- > >**************************************************************************** >Cihan Subasi, >Garanti Ticaret AS,Istanbul Turkey >email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 >**************************************************************************** > > I'm sorry but I don't know exactly why this message arrived to me. Actualy I'm not able to answer your question. Good bye! From owner-firewalls-outgoing Mon Aug 4 04:39:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA13625 for firewalls-outgoing; Mon, 4 Aug 1997 03:42:17 -0700 (PDT) Received: from dante.iol.it (dante.iol.it [194.20.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA13600 for ; Mon, 4 Aug 1997 03:41:33 -0700 (PDT) Received: from interbusiness.it ([195.103.225.5]) by dante.iol.it (8.8.3/8.6.12) with SMTP id MAA13453; Mon, 4 Aug 1997 12:41:54 +0200 Message-Id: <3.0.1.32.19970804124206.006f3e48@popmail.iol.it> X-Sender: accosto@popmail.iol.it X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 04 Aug 1997 12:42:06 +0200 To: trall@almaden.ibm.com, firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com From: Alberto Accossato Subject: Re: [FW1] Re: Installation of Failover Gateway in FW-1 3.0a... In-Reply-To: <882564E7.007A5F6E.00@mailgw1.almaden.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15.36 02/08/97 -0700, trall@almaden.ibm.com wrote: > > >>> > > >csubasi@garanti.com.tr on 08-02-97 11:23:36 AM >We installed the Failover Gateway to backup our FW-1 3.0a, looks like >everything is fine but I have a problem with the machines on DMZ >interface...All our internet servers (other than firewall machines) are >running on a RS6000 with AIX 4.1.4 but in order to make them see >Failover Gateway when master firewall dies we have to give a second >default gateway to the AIXs, here is the problem looks like AIX do not >take a second default gateway with a higher metric...Anybody can help me >to solve the problem? ><< > >My understanding of how routing works is that what you're trying to do will >not work. The routing process looks in the route table and chooses the >best route to the destination. It doesn't matter how many other routes to >the same destination are in the table - only the first choice will be used. >This is true even if the first-choice router is down. > >So even if Aix would allow you to add a second default route, it won't do >you any good. > >What is needed is a dynamic update of the routing table. This is normally >accomplished by using a dynamic routing protocol, such as RIP or OSPF. >Your routers advertise their routes (hopefully only a default route if >they're connected to the Internet), and you run gated on your servers. >When one of the routers stops announcing its routes, the routes for the >other one will be the only ones left in the server's table. > >Tony Rall > > > I'm sorry but I don't know exactly why this message arrived to me. Actualy I'm not able to answer your question. Good bye! From owner-firewalls-outgoing Mon Aug 4 04:46:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA13684 for firewalls-outgoing; Mon, 4 Aug 1997 03:43:08 -0700 (PDT) Received: from dante.iol.it (dante.iol.it [194.20.24.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA13647 for ; Mon, 4 Aug 1997 03:42:50 -0700 (PDT) Received: from interbusiness.it ([195.103.225.5]) by dante.iol.it (8.8.3/8.6.12) with SMTP id MAA13533; Mon, 4 Aug 1997 12:42:50 +0200 Message-Id: <3.0.1.32.19970804124303.006e377c@popmail.iol.it> X-Sender: accosto@popmail.iol.it X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 04 Aug 1997 12:43:03 +0200 To: joe , Cihan Subasi From: Alberto Accossato Subject: Re: [FW1] Installation of Failover Gateway in FW-1 3.0a... Cc: Firewalls , Checkpoint Mailing List In-Reply-To: References: <33E37B28.778A@garanti.com.tr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 21.19 02/08/97 -0700, joe wrote: >Hello Cihan, > >I'll be trying this one soon too... RIP may be your only hope even though >it is crude...(via gated with higher/lower preferences)..unless you can >do router discovery with AIX boxes... too bad you are not using all Sun >workstations...(IMHO) :) > >Im very interested to see if anyone else has done this or has a good >suggestion.. > >Cheers, >JP > >================================================================== >Joseph J. Pyle - Network Consultant _ >E-Mail Solutions @ PYLE.COM "<(o)>" > ~ >joe@pyle.com - Its in the eye of the beholder >================================================================== > >On Sat, 2 Aug 1997, Cihan Subasi wrote: > >> We installed the Failover Gateway to backup our FW-1 3.0a, looks like >> everything is fine but I have a problem with the machines on DMZ >> interface...All our internet servers (other than firewall machines) are >> running on a RS6000 with AIX 4.1.4 but in order to make them see >> Failover Gateway when master firewall dies we have to give a second >> default gateway to the AIXs, here is the problem looks like AIX do not >> take a second default gateway with a higher metric...Anybody can help me >> to solve the problem? >> >> Thanks, >> -- >> >> **************************************************************************** >> Cihan Subasi, >> Garanti Ticaret AS,Istanbul Turkey >> email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 >> **************************************************************************** >> > > I'm sorry but I don't know exactly why this message arrived to me. Actualy I'm not able to answer your question. Good bye! From owner-firewalls-outgoing Mon Aug 4 07:00:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA28614 for firewalls-outgoing; Mon, 4 Aug 1997 05:53:38 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA28558 for ; Mon, 4 Aug 1997 05:53:11 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp2.cisco.com [171.68.146.23]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id OAA01305; Mon, 4 Aug 1997 14:50:04 +0200 (METDST) Message-Id: <3.0.32.19970804135929.006f8da8@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 04 Aug 1997 14:50:33 +0000 To: Bertrum Carroll , "Firewalls@GreatCircle.COM" , "fw-1-mailinglist@us.checkpoint.com" From: Eric Vyncke Subject: Re: PPTP & FW-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PPTP is using: - a modified GRE tunnel which lays directly on the top of IP with protocol (I do not have right now the number of the protocol but check in /etc/protocols for the right number) - a TCP control session to port 5678 (on the PPTP 'server') which is by the way a funny number ;-) Also beware that PPTP is probably useful for you but do not trust too much its security... -eric At 11:45 1/08/97 -0500, Bertrum Carroll wrote: >I'm attempting to setup a FW-1 filter to support PPTP. >I'm using FW-1 3.0a on Solaris. > >PPTP is not defined, how do I seutp a fitler just for PPTP not all IP? > >Thanks In Advance >Bert Carroll > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Mon Aug 4 07:31:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA29659 for firewalls-outgoing; Mon, 4 Aug 1997 06:02:33 -0700 (PDT) Received: from ns.trade-a-plane.com (ns.trade-a-plane.com [208.138.64.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA29603 for ; Mon, 4 Aug 1997 06:01:57 -0700 (PDT) Received: from greg.trade-a-plane.com ([208.138.64.110]) by ns.trade-a-plane.com (Netscape Mail Server v2.0) with ESMTP id AAA23401 for ; Mon, 4 Aug 1997 08:02:48 -0500 Message-ID: <33E5D2D5.61AF05DD@trade-a-plane.com> Date: Mon, 04 Aug 1997 08:02:13 -0500 From: greg@trade-a-plane.com (Greg Walker) Reply-To: greg@trade-a-plane.com Organization: TAP Publishing Company X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: Re: Mail bombing made legal... X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron DuFresne wrote: > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > origin of > all email being sent out. Email Blaster can mask itself to look like > it > came from the recipients own host. This will help stop users from > flaming > your email box! > Is this for real? I have been getting hundreds of error messages from our mail server at night with the following cotent: Your message was not delivered because the destination computer was not found. Carefully check that it was spelled correctly and try sending it again if there were any mistakes. Host spamco.com not found The following recipients did not receive this message: The original mail envelope addresses are: User-From: SMTP<> Recipient: [] Anybody have any ideas? Thanks, Greg Walker TAP Publishing Company From owner-firewalls-outgoing Mon Aug 4 07:34:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04175 for firewalls-outgoing; Mon, 4 Aug 1997 06:37:16 -0700 (PDT) Received: from relay01.iafrica.com (relay01.iafrica.com [196.7.0.160]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA03944 for ; Mon, 4 Aug 1997 06:35:50 -0700 (PDT) From: messer@iafrica.com Received: from default [196.31.18.34] by relay01.iafrica.com with esmtp (Exim 1.59 #1) id 0wvNIz-0002T1-00; Mon, 4 Aug 1997 15:36:14 +0200 To: Date: Mon, 4 Aug 1997 15:37:01 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Mon Aug 4 07:35:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05407 for firewalls-outgoing; Mon, 4 Aug 1997 06:49:12 -0700 (PDT) Received: from usr10.primenet.com (usr10.primenet.com [206.165.6.210]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA05363 for ; Mon, 4 Aug 1997 06:48:57 -0700 (PDT) Received: from usr6 (usr6.dakotacom.net [207.201.204.135]) by usr10.primenet.com (8.8.5/8.8.5) with SMTP id GAA28919 for ; Mon, 4 Aug 1997 06:49:33 -0700 (MST) Date: Mon, 4 Aug 1997 06:49:33 -0700 (MST) Message-Id: <3.0.32.19970804064427.009beaf8@dakotacom.net> X-Sender: darksead@dakotacom.net X-Mailer: Windows Eudora Pro Version 3.0 (32) To: firewalls@greatcircle.com From: "DarkSead (Nick)" Subject: Routers and filtering Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for just a wee bit of information on providing some network security at the routers (or so I'm advised.) Currently, I have a Cisco 4700m which I would like to have do some packet filtering for our network. Basically, my questions are: A) What type of security/policy can or should be instated at a router. and B) does the 4700 have the capabilities to provide any form of security/filtering? Also, the current Firewall admin at the company I work for, has implemented a crude ipfwadm firewall built into a linux box to route incoming packets to certain subnets as a form of security...Can the 4700 do this as well? wa From owner-firewalls-outgoing Mon Aug 4 07:37:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA28859 for firewalls-outgoing; Mon, 4 Aug 1997 05:55:41 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA28782 for ; Mon, 4 Aug 1997 05:55:03 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp2.cisco.com [171.68.146.23]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id OAA01300; Mon, 4 Aug 1997 14:50:01 +0200 (METDST) Message-Id: <3.0.32.19970804134735.006f77dc@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 04 Aug 1997 14:50:30 +0000 To: "Piotr Kolodziej" , From: Eric Vyncke Subject: Re: Access-lists and routing performance Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:07 1/08/97 +0200, Piotr Kolodziej wrote: >Hello, > >I want to verify an opinion that number of >clauses in access - list can dramatically affect >performance of filtering (screening) router. >Especially it was told about Cisco routers >by someone who pretends to be an authority. Piotr, First note that my E-mail is probably biased ;-) ACL parsing for all and every packet has of course a performance impact... but, in most case it is not visible and even measurable :-) On high end router, you can even turn on a feature called NetFlow switching which use a kind of cache (indexed by IP addresses and TCP/UDP ports). With Netflow, only the first packet goes through the ACL, the following packets are not more checked against ACL. Now about the 'established' keyword. Right, Cisco router has had a bug in some particuliar config which is solved for a long time now :-) You can also expect a better and safer implementation via the use of 'reflexive ACL' to be shipped in 11.3 (in the very coming months). Hope this helps -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Mon Aug 4 07:38:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA28157 for firewalls-outgoing; Mon, 4 Aug 1997 05:50:08 -0700 (PDT) Received: from mail.dialisdn.com (mail.dialisdn.com [209.4.65.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA28122 for ; Mon, 4 Aug 1997 05:49:49 -0700 (PDT) Received: from eliashim.mail ([209.4.65.15]) by mail.dialisdn.com (Netscape Mail Server v2.0) with SMTP id AAA262 for ; Mon, 4 Aug 1997 08:50:26 -0400 Received: from ntpdc.eliashim [10.0.0.9] by eliashim.mail [10.0.0.13] with SMTP (MDaemon.v2.5.rA.b1.32R) for ; Mon, 04 Aug 97 08:48:55 -0500 Message-Id: <3.0.32.19970804085008.0070bd88@10.0.0.13> X-Sender: jerry@10.0.0.13 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 04 Aug 1997 08:50:09 -0400 To: jle9@eci-esyst.com, firewalls@greatcircle.com From: Jerry Huyghe Subject: RE: Java Applet Scanner Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MDMail-Server: MDaemon v2.5 rA b1 32R X-MDaemon-Deliver-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, >Is there any type of software that scans Java Applets for virus or = >corruption. We have a CyberGuard firewall but we are concerned about = >tainted applets filtering through...thanks in advance... > The latest Cyberguard firewall for Unix provides imbedded protection through the EliaShim ViruSafe anti-virus scanner. In the next few months, this scanner is going to have anti-vandal capabilities (for hostile Java and ActiveX) This protection will also be added to ViruSafe FireWall for FireWall-1 and TIS Gauntlet. The technology will come from eSafe Protect (http://www.esafe.com) For now, it is a good idea to use Netscape instead of IE (Java is more secure) and to use the highest security setting possible in Netscape. Best Regards, Jerry Huyghe Product Manager eSafe Technologies http://www.esafe.com A division of EliaShim Inc http://www.eliashim.com ----------------Intelligent Computer Security----------------- 1 SW 129th Ave, Suite 105 Phone : 800.477.5177 Ext 18 Pembroke Pines, FL 33027 Fax : 954.450.9612 ============================================================== From owner-firewalls-outgoing Mon Aug 4 07:46:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA12168 for firewalls-outgoing; Mon, 4 Aug 1997 07:41:48 -0700 (PDT) Received: from lisa.enter.net.mx (lisa.enter.net.mx [200.23.147.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA12147 for ; Mon, 4 Aug 1997 07:41:32 -0700 (PDT) Received: from karina (karina.enter.net.mx [200.23.147.14]) by lisa.enter.net.mx (8.8.5/8.8.5) with SMTP id JAA28444 for ; Mon, 4 Aug 1997 09:42:15 -0500 Message-ID: <33E2D91F.1DFC@enter.net.mx> Date: Sat, 02 Aug 1997 01:52:15 -0500 From: Cuauhtemoc Zamudio Avila X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: [Re: [Fwd: [Fwd: Subject: good luck totem]]] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, Don't send this kind of email, this ones just waste bandwith, we are already good lucking people, because we are a community of thinking people. don't disturb about it, i'm not trying to offend you kgroup. just don't use this kind of email, it's like email spam. Cuauhtemoc Zamudio Avila Technical Support Enternet From owner-firewalls-outgoing Mon Aug 4 08:04:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14323 for firewalls-outgoing; Mon, 4 Aug 1997 07:58:08 -0700 (PDT) Received: from usr10.primenet.com (usr10.primenet.com [206.165.6.210]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA14230 for ; Mon, 4 Aug 1997 07:57:46 -0700 (PDT) Received: from usr6 (darksead@usr6.dakotacom.net [207.201.204.135]) by usr10.primenet.com (8.8.5/8.8.5) with SMTP id HAA06756 for ; Mon, 4 Aug 1997 07:58:22 -0700 (MST) Date: Mon, 4 Aug 1997 07:58:22 -0700 (MST) Message-Id: <3.0.32.19970804075317.008fd098@dakotacom.net> X-Sender: darksead@dakotacom.net X-Mailer: Windows Eudora Pro Version 3.0 (32) To: firewalls@greatcircle.com From: "DarkSead (Nick)" Subject: Education Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In an effort to boost my own personal knowledge, as well as receiving the benefits of a more advanced knowledge, is there anyone out there that knows of any type of certification/training for security agents on networks? (even besides firewalls) I have found something from secure-it.net? (not sure if that's the site exactly) however they offer a certification called the Checkpoint Certified Security Engineer. Is this beneficial to anyone? is the training useful, or is it just something one could learn elsewhere....thanks in advance. -NM From owner-firewalls-outgoing Mon Aug 4 08:30:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA12895 for firewalls-outgoing; Mon, 4 Aug 1997 07:47:47 -0700 (PDT) Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA12879 for ; Mon, 4 Aug 1997 07:47:36 -0700 (PDT) Received: (from moses@localhost) by services.state.mo.us (8.8.3/8.8.0) id JAA07624; Mon, 4 Aug 1997 09:48:57 -0500 (CDT) Date: Mon, 4 Aug 1997 09:48:56 -0500 (CDT) From: Ikoedem Moses To: Firewalls@GreatCircle.COM Subject: DNS ON IBM FIREWALL V3.1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have two name servers. One is behind the firewall and the other one is outside the firewall. The firewall is blocking udp 53 between these servers but there is an explicit rule to pass it. I do not have this problem with version 2.2. Please help. From owner-firewalls-outgoing Mon Aug 4 09:42:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA19543 for firewalls-outgoing; Mon, 4 Aug 1997 08:43:57 -0700 (PDT) Received: from hcat.epcorp.com (test.epcorp.com [206.112.200.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA19484 for ; Mon, 4 Aug 1997 08:43:29 -0700 (PDT) Received: from eppcmcw.eapi.com by hcat.epcorp.com id aa24225; 4 Aug 97 11:42 EDT Message-Id: <3.0.32.19970804114231.00d1fb44@mail.epcorp.com> X-Sender: martinw@mail.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 04 Aug 1997 11:42:35 -0400 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: Security of IP to IPX internet gateway Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a division who uses a novell ipx network internally. They want to drop an ip to ipx gateway in place and use it to connect to the internet (partially to avoid the cost of a firewall). They think they are secure from any hacking attempts, denial of service or other issues because they are using IPX inside. Disregarding the issue of whether IPX will die in a few years, are there any security implications to their proposed setup ? Are there any IPX hacks which can be used thru one of these gateways ? -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | Cincinnati, OH 45202 | From owner-firewalls-outgoing Mon Aug 4 10:23:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA23881 for firewalls-outgoing; Mon, 4 Aug 1997 09:14:33 -0700 (PDT) Received: from PRX_HAM1.Hamburg-Mannheimer.de ([195.50.138.234]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA23774 for ; Mon, 4 Aug 1997 09:14:06 -0700 (PDT) From: Hartmut.Fehling@Hamburg-Mannheimer.de Received: by PRX_HAM1.Hamburg-Mannheimer.de(Lotus SMTP MTA unofficial unnumbered internal build) id C12564E9.0059B9C5 ; Mon, 4 Aug 1997 18:20:02 +0200 X-Lotus-FromDomain: HM To: Firewalls@GreatCircle.COM Message-ID: Date: Mon, 4 Aug 1997 17:45:01 +0200 Subject: Re: Lotus Notes Servers Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As I already pointed out to Jerry, I suggest that you place one Notes-Gateway-Server in your DMZ (third network on a dual-homed gateway) and configure your firewall in a fashion to accept the Notes-RPCs (Port 1329 or so) from the IP-Adresses of the external servers you want to connect to. Then you can have your Notes-Production-Server replicate (Pull-Push from the Production-Server which means the Gateway-Server is being pulled) data through your firewall to your Notes-Gateway-Server (you can also have a separate Modem-Link to the Notes-Gateway-Server) - be sure to implement a rule for that on your firewall, too. And yes, watch out for address-spoofing - Checkpoint FireWall-1 can do a neat job on killing spoofed packets. As far as scanning of attachments is concerned, GROUP Watchdog as a very good reputation in Germany - I haven?t used it yet, though: http://www.group-wp.de/WWW_WP01.NSF/E-WatchDog?OpenView Regards, Hartmut Fehling Hamburg-Mannheimer Versicherungs-AG From owner-firewalls-outgoing Mon Aug 4 10:25:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA17513 for firewalls-outgoing; Mon, 4 Aug 1997 08:28:48 -0700 (PDT) Received: from www.ctrl-alt-del.COM (ctrl-alt-del.com [206.163.47.249]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA17501 for ; Mon, 4 Aug 1997 08:28:30 -0700 (PDT) Received: from localhost (alan@localhost) by www.ctrl-alt-del.COM (8.8.5/8.8.5) with SMTP id IAA23169; Mon, 4 Aug 1997 08:34:47 -0700 Date: Mon, 4 Aug 1997 08:34:47 -0700 (PDT) From: Alan To: Dick_Wall@stratus.com cc: firewalls@GreatCircle.COM Subject: Re: Web Oriented Mail Clients In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 2 Aug 1997 Dick_Wall@stratus.com wrote: > The question is ... > > I'm getting approached by various groups in my company, that want to > use Web oriented email clients, to access our email servers. That is, > they want to use the clients from the Internet points, to access servers > on the trusted/internal side of our network. They'd like us therefore, > to allow http access through the firewall. We don't allow that now, and > I don't plan to allow it in the future. > > Is there a secure means for providing such email access? Yes. Tell them to spend the $20/month and get an off-site e-mail account at a local ISP. Then forward their mail to that account. (Sounds like yet another product that management had been told they "gotta have". Making e-mail web based sounds like a perfect way to make it even less usable and more inflexable. Sounds like a perfect fit for most of the management I have known...) alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. From owner-firewalls-outgoing Mon Aug 4 12:18:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA17573 for firewalls-outgoing; Mon, 4 Aug 1997 08:29:08 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA17504 for ; Mon, 4 Aug 1997 08:28:34 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id IAA29899 for ; Mon, 4 Aug 1997 08:32:46 -0700 (PDT) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA12147; Mon, 4 Aug 97 08:31:05 PDT Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id IAA21917 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 4 Aug 1997 08:31:01 -0700 (PDT) Message-Id: <199708041531.IAA21917@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id E63F9A00E3ED2D78882564E900558C6C; Mon, 4 Aug 97 08:30:56 EDT To: Dick_Wall Cc: firewalls From: Ryan Russell/SYBASE Date: 4 Aug 97 8:36:21 EDT Subject: Re: Web Oriented Mail Clients X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a limited form of VPN. A good 128-bit SSL client will take care of the encryption piece handily. You still need to worry about authentication though. Encryption can't keep users from mismanaging passwords. You might consider authentication tokens. Ryan ---------- Previous Message ---------- To: firewalls cc: From: Dick_Wall@stratus.com @ smtp Date: 08/02/97 03:25:21 PM Subject: Web Oriented Mail Clients Hello all .. I appologize if I'm asking a question that has been recently discussed .. I've been off the list for a while and have missed recent dialogues. The question is ... I'm getting approached by various groups in my company, that want to use Web oriented email clients, to access our email servers. That is, they want to use the clients from the Internet points, to access servers on the trusted/internal side of our network. They'd like us therefore, to allow http access through the firewall. We don't allow that now, and I don't plan to allow it in the future. Is there a secure means for providing such email access? Dick From owner-firewalls-outgoing Mon Aug 4 12:20:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20802 for firewalls-outgoing; Mon, 4 Aug 1997 08:52:45 -0700 (PDT) Received: from spock.bitmailer.com (spock.bitmailer.com [194.179.94.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20699 for ; Mon, 4 Aug 1997 08:52:08 -0700 (PDT) Received: from ns.bitmailer.com (ns.bitmailer.com [194.179.94.1]) by spock.bitmailer.com (8.8.5/8.8.6) with SMTP id SAA03529; Mon, 4 Aug 1997 18:10:10 +0200 Received: from alex(really [195.16.159.18]) by ns.bitmailer.com via sendmail with esmtp id for ; Mon, 4 Aug 1997 17:51:44 +0200 (MET DST) (Smail-3.2 1996-Jul-4 #15 built 1997-Mar-26) Message-Id: From: "Angel López Escobar" To: "Patrik Backstrom" , Subject: RE: Firewall-1, Static Address Translation problem [2] Date: Mon, 4 Aug 1997 17:47:42 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BCA0FE.81F9CB60" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Este es un mensaje con múltiples partes en formato MIME. ------=_NextPart_000_01BCA0FE.81F9CB60 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Hi, I implement that and it's working or I hope so. Create a group, name it (i.e.)LOCAL+TR, with the local-net Network Object + all the translated valid ip add's (I created a false Workstation with the translated address as internal for each translated IP). At the external IF, you mark other addresses and in the internal IF you select specific and the object will be LOCAL+TR. In my opinion this may work, Any other ideas ? Regards, A.Lopez ---------- De: Patrik Backstrom A: firewalls@GreatCircle.COM Asunto: Firewall-1, Static Address Translation problem [2] Fecha: sábado 2 de agosto de 1997 15:31 Thanks to everyone who answered. The problem was (and still is) the anti-spoofing feature. The manual says you should add the hidden and the official ip addresses to both the internal and external interface on the firewall. This doesn't help, the firewall still drops the packets. But as soon i as remove the antispoofing features (ie. setting both interfaces to accept any ip's), everything works just fine. Since i really would like to use the anti-spoofing features, this is a bit of a problem. Any ideas? /pb --------------------------------------------------------------------- Patrik Bäckström (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/ 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@warp.techno.org --------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Wed, 30 Jul 1997 12:34:26 +0200 (MET DST) From: Patrik Backstrom To: firewalls@greatcircle.com Subject: Firewall-1, Static Address Translation problem Hi! I have a problem with static address translation. When the client on the inside connects to the outside, everything works fine. But when a machine on the outside tries to connect to the client's valid ip, it just won't go trough the firewall. I have configured the Network Object, Workstation, Address Translation for Automatic Rules, Static and the Valid IP adress. The logs on the Firewall-1 says that the packet is accepted, but it won't reach the internal client. It can't be a routing problem, since it works fine when the client connects to the outside world. The source IP after the translation is also correct. /pb --------------------------------------------------------------------- Patrik Bäckström (BOFH) Phone........: +46-(0)706-661928 Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/ 422 52 Hisings Backa E-Mail.......: pb@techno.org PGP Pub Key......: http://warp.techno.org/~pb/pgpkey \.....: finger pb@warp.techno.org --------------------------------------------------------------------- ---------- ------=_NextPart_000_01BCA0FE.81F9CB60 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi,

I implement that and it's = working or I hope so. Create a group, name it (i.e.)LOCAL+TR, with the local-net Network Object + all the = translated valid ip add's (I created a false Workstation with the = translated address as internal for each translated IP).
At the = external IF, you mark other addresses and in the internal IF you select = specific and the object will be LOCAL+TR.

In my opinion this may = work, Any other ideas ?

Regards,
A.Lopez

=

----------
De: Patrik Backstrom <pb@techno.org>
A: = firewalls@GreatCircle.COM
Asunto: Firewall-1, Static Address Translation = problem [2]
Fecha: s=E1bado 2 de agosto de 1997 15:31

Thanks = to everyone who answered.

The problem was (and still is) the = anti-spoofing feature. The manual says
you should add the hidden and = the official ip addresses to both the
internal and external interface = on the firewall. This doesn't help, the
firewall still drops the = packets. But as soon i as remove the antispoofing
features (ie. = setting both interfaces to accept any ip's), everything
works just = fine.

Since i really would like to use the anti-spoofing = features, this is a bit
of a problem. Any ideas?

/pb

= ---------------------------------------------------------------------
=  Patrik B=E4ckstr=F6m (BOFH)   Phone........: = +46-(0)706-661928
 Hjalmar Bergmans gata 50 =  Homepage.....: http://warp.techno.org/
 422 52 Hisings Backa =      E-Mail.......: pb@techno.org

=  PGP Pub Key......: http://warp.techno.org/~pb/pgpkey
=             \= .....: finger pb@warp.techno.org
= ---------------------------------------------------------------------
=
---------- Forwarded message ----------
Date: Wed, 30 Jul 1997 = 12:34:26 +0200 (MET DST)
From: Patrik Backstrom <pb@techno.org>
To: firewalls@greatcircle.com
Subject: Firewall-1, Static Address Translation = problem

Hi!

I have a problem with static address = translation. When the client on the
inside connects to the outside, = everything works fine. But when a machine
on the outside tries to = connect to the client's valid ip, it just won't go
trough the = firewall.

I have configured the Network Object, Workstation, = Address Translation for
Automatic Rules, Static and the Valid IP = adress.

The logs on the Firewall-1 says that the packet is = accepted, but it won't
reach the internal client.

It can't be = a routing problem, since it works fine when the client
connects to = the outside world. The source IP after the translation is = also
correct.

/pb

= ---------------------------------------------------------------------
=  Patrik B=E4ckstr=F6m (BOFH)   Phone........: = +46-(0)706-661928
 Hjalmar Bergmans gata 50 =  Homepage.....: http://warp.techno.org/
 422 52 Hisings Backa =      E-Mail.......: pb@techno.org

=  PGP Pub Key......: http://warp.techno.org/~pb/pgpkey
=             \= .....: finger pb@warp.techno.org
= ---------------------------------------------------------------------
=
----------

------=_NextPart_000_01BCA0FE.81F9CB60-- From owner-firewalls-outgoing Mon Aug 4 13:20:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA04889 for firewalls-outgoing; Mon, 4 Aug 1997 10:32:57 -0700 (PDT) Received: from lms02.us1.ibm.com (lms02.ny.us.ibm.com [198.133.22.25]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA04821 for ; Mon, 4 Aug 1997 10:32:39 -0700 (PDT) Received: from d04lms02.raleigh.ibm.com by lms02.us1.ibm.com (AIX 4.1/UCB 5.64/4.03) id AB17974; Mon, 4 Aug 1997 17:37:11 GMT Received: by US.IBM.COM (Soft-Switch LMS 2.0) with snapi via D04AU008 id 5040200003855535; Mon, 4 Aug 1997 13:40:56 -0400 From: Tom Noonan To: Subject: Request for design evaluation participants Message-Id: <5040200003855535000002L052*@MHS> Date: Mon, 4 Aug 1997 13:40:56 -0400 Mime-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm somewhat new to this listserv. Can someone tell me the policy of this listserv for submitting a note to recruit participants for product design evaluations, etc.? Tom TNOONAN@us.ibm.com (919)254-4257: TL(444) IBM Software Solutions Human Factors & Usability From owner-firewalls-outgoing Mon Aug 4 13:35:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA12693 for firewalls-outgoing; Mon, 4 Aug 1997 11:18:42 -0700 (PDT) Received: from ook.connect.ie (ook.connect.ie [194.106.128.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA12638 for ; Mon, 4 Aug 1997 11:18:27 -0700 (PDT) From: mjm@europemail.com Received: from localhost (d1-ppp-156.connect.ie [194.106.128.156]) by ook.connect.ie (8.8.6/.44/NR) with SMTP id TAA23722 for ; Mon, 4 Aug 1997 19:23:56 +0100 (BST) Message-Id: <3.0.2.16.19970804192014.46d73e1c@pop.connect.ie> X-Sender: mjmccann@pop.connect.ie X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (16) Date: Mon, 04 Aug 1997 19:20:14 To: Firewalls Subject: Goodnews To-day In-Reply-To: <3.0.1.32.19970804124100.006ca04c@popmail.iol.it> References: <33E37B28.778A@garanti.com.tr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Business, finance, family and sex are the four main areas of interest to the public at large. If you are interested in information on a new Multi-Level product as means of generating income for yourself, return an E-mail with the word DETAILS on the Subject line. ====================================== One single piece of good news brightens the darkest day. Proverb ====================================== From owner-firewalls-outgoing Mon Aug 4 13:48:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA06530 for firewalls-outgoing; Mon, 4 Aug 1997 10:45:23 -0700 (PDT) Received: from punt-1.mail.demon.net (relay-14.mail.demon.net [194.217.242.138]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA06491 for ; Mon, 4 Aug 1997 10:45:04 -0700 (PDT) Received: from ntyne.demon.co.uk ([158.152.82.1]) by punt-1.mail.demon.net id aa1005086; 4 Aug 97 15:59 BST Date: Mon, 4 Aug 1997 09:48:03 GMT From: Greg Taylor Reply-To: gtaylor@ntyne.demon.co.uk Message-Id: <3344@ntyne.demon.co.uk> To: Firewalls@greatcircle.com Subject: re:MS Exchange through FW-1 X-Mailer: FIMail V0.9d Lines: 19 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the delayed posting. We have a similar requirement but use Gauntlet as the firewall. Not being convinced of Exchange security outside our network we are testing a POP3 server inside connecting to the SMTP connection of Exchange (in our case this is already in use to connect to Internet). Remote users use Netscape (or Eudora) via a MODEM connection through the firewall. All it requires is Port 25 access. You can also use SecureID over it if you wish. I can't see any reason why this would not work with FW1. Greg. May you live in interesting times. (Ancient Chinese curse) Greg Taylor MBCS, FIAP gtaylor@ntyne.demon.co.uk Open Systems Programme Leader North Tyneside Council From owner-firewalls-outgoing Mon Aug 4 13:50:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA06571 for firewalls-outgoing; Mon, 4 Aug 1997 10:45:41 -0700 (PDT) Received: from mbigate.moody.edu (mbigate.moody.edu [206.68.228.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA06543 for ; Mon, 4 Aug 1997 10:45:28 -0700 (PDT) Received: from mbi.moody.edu by mbigate.moody.edu via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 4 Aug 1997 17:45:27 UT Received: from eawpc.moody.edu (eawpc.moody.edu [199.3.49.73]) by mbi.moody.edu with SMTP (8.7.6/8.7.3) id MAA24666 for ; Mon, 4 Aug 1997 12:45:35 -0500 (CDT) Message-Id: <2.2.32.19970804175026.006f6390@mail.moody.edu> X-Sender: ewidholm@mail.moody.edu X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 04 Aug 1997 12:50:26 -0500 To: firewalls@GreatCircle.COM From: "Erik A. Widholm" Subject: Raptor and StreamWorks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are attempting to allow StreamWorks connections through the Raptor Firewall (on UNIX). According to Xing Technologies (xingtech.com), the following should work: UDP connection from clien port >1024 UDP connection to service on port 1558 UDP connection from service on port 1558 UDP connection to client on port 1558 However, it doesn't. Has anyone set up StreamWorks throughput on the Raptor firewall? If so, what did you do? \|/ (@ @) -----------oOO--/(_)\--OOo----------- | '`' \"""/ '`' | | E R I K A. W I D H O L M | | | | -~=@=~- | | | | e-mail:ewidholm@workmail.com | | http://www.moody.edu | | Moody Bible Institute | | Chicago, IL | | (312) 329-4249 Oooo. | | .oooO ( ) | -----( )-------------------) /----- \ ( (_/ \_) From owner-firewalls-outgoing Mon Aug 4 14:01:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA19292 for firewalls-outgoing; Mon, 4 Aug 1997 11:58:42 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA19143 for ; Mon, 4 Aug 1997 11:57:35 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id OAA06927; Mon, 4 Aug 1997 14:58:06 -0400 Date: Mon, 4 Aug 1997 14:58:05 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Greg Walker cc: firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <33E5D2D5.61AF05DD@trade-a-plane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, it is true. You need to change your SMTP server to stop relaying. You may need to get a new version of sendmail. On Mon, 4 Aug 1997, Greg Walker wrote: > Date: Mon, 04 Aug 1997 08:02:13 -0500 > From: Greg Walker > To: firewalls@GreatCircle.COM > Subject: Re: Mail bombing made legal... > > Ron DuFresne wrote: > > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > > origin of > > all email being sent out. Email Blaster can mask itself to look like > > it > > came from the recipients own host. This will help stop users from > > flaming > > your email box! > > > > Is this for real? I have been getting hundreds of error messages from > our mail server at night with the following cotent: > > Your message was not delivered because the destination computer > was > not found. Carefully check that it was spelled correctly and try > > sending it again if there were any mistakes. > > Host spamco.com not found > > The following recipients did not receive this message: > > > > The original mail envelope addresses are: > > User-From: SMTP<> > Recipient: [] > > > Anybody have any ideas? > > Thanks, > > Greg Walker > TAP Publishing Company > Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Mon Aug 4 14:02:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20795 for firewalls-outgoing; Mon, 4 Aug 1997 12:08:04 -0700 (PDT) Received: from tumi.dgsca.unam.mx (tumi.dgsca.unam.mx [132.248.168.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA20724 for ; Mon, 4 Aug 1997 12:07:22 -0700 (PDT) Received: from localhost by tumi.dgsca.unam.mx (SMI-8.6/SMI-SVR4) id OAA04936; Mon, 4 Aug 1997 14:09:10 -0600 Date: Mon, 4 Aug 1997 14:09:10 -0600 (CST) From: "Renteria Tabares J." X-Sender: renteria@tumi Reply-To: "Renteria Tabares J." To: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Mon Aug 4 16:54:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA24042 for firewalls-outgoing; Mon, 4 Aug 1997 12:39:50 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA24017 for ; Mon, 4 Aug 1997 12:39:29 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA43084; Mon, 4 Aug 1997 15:34:59 -0400 Date: Mon, 4 Aug 1997 15:34:59 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9708041934.AA43084@oxygen.house.gov> To: darksead@3sheep.com, firewalls@greatcircle.com Subject: Re: Routers and filtering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for just a wee bit of information on providing some network > security at the routers (or so I'm advised.) For general background and sample access-lists see the Firewall FAQ: http://www.clark.net/pub/mjr/pubs/fwfaq/index.htm. > Currently, I have a Cisco 4700m which I would like to have do some > packet filtering for our network. Basically, my questions are: > > A) What type of security/policy can or should be instated at a router. In general, routers can perform packet filtering, which limits them to policies of which host computers can get packets at which protocols & ports. Although routers can filter based on source TCP port as well as destination, the source port should not be trusted because it is under control of the outsider (potential attacker). > > B) does the 4700 have capabilities to provide any form of security/filtering? Yes, you should make sure you are using a recent version of the IOS to avoid problems which were identified and fixed in the packet-filtering path. The versions should be at least 8.3(5.10), 9.0(2.5), or 9.1(1.1). If you are just starting, you should use the version of 10.3 with the largest number in parentheses. > > Also, the current Firewall admin at the company I work for, has implemented > a crude ipfwadm firewall built into a linux box to route incoming packets > to certain subnets as a form of security...Can the 4700 do this as well? Unless the routing you want is based on the destination address, you would need IOS version 11.2 (the most recent feature set) to perform what Cisco calls "policy based routing" depending on anything you could filter. From owner-firewalls-outgoing Mon Aug 4 17:00:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA24889 for firewalls-outgoing; Mon, 4 Aug 1997 12:46:57 -0700 (PDT) Received: from Noah.rtscomp.com (rtscomp.com [206.233.216.222]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA24861 for ; Mon, 4 Aug 1997 12:46:35 -0700 (PDT) Received: from localhost (prc@localhost) by Noah.rtscomp.com (8.8.5/8.8.5) with SMTP id LAA12635; Mon, 4 Aug 1997 11:48:13 -0700 Date: Mon, 4 Aug 1997 11:48:08 -0700 (PDT) From: Richard Pouncy To: Greg Walker cc: firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <33E5D2D5.61AF05DD@trade-a-plane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 4 Aug 1997, Greg Walker wrote: Yes, I have been fighting this type of shit for sometime now. What they are doing is bounding the mail off sites like earthlink or at&t to delivery the mail to your system. I have been taking the message header and forwarding that to abuse@companyname.com. You may or may not know that must of the large ISP'es have a abuse account and will take action if possible. But it is assholes like the one mention in the message that keeps the bull alive. > Ron DuFresne wrote: > > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > > origin of > > all email being sent out. Email Blaster can mask itself to look like > > it > > came from the recipients own host. This will help stop users from > > flaming > > your email box! > > > > Is this for real? I have been getting hundreds of error messages from > our mail server at night with the following cotent: > > Your message was not delivered because the destination computer > was > not found. Carefully check that it was spelled correctly and try > > sending it again if there were any mistakes. > > Host spamco.com not found > > The following recipients did not receive this message: > > > > The original mail envelope addresses are: > > User-From: SMTP<> > Recipient: [] > > > Anybody have any ideas? > > Thanks, > > Greg Walker > TAP Publishing Company > =-=-=-=-=-=-=-=-=-=-= http://www.prc.com/eag =-=-=-=-=-=-=-=-=-=-=-=-=-= Richard Pouncy | Litton PRC Inc. prc@rtscomp.com | 222 N. Sepulveda Blvd. Suite 1310 310-252-8044 | El Segundo, CA 900245-4353 =-=-=-= Firewalls =-= Web Server Security =-= Penetration Testing =-=-= From owner-firewalls-outgoing Mon Aug 4 18:44:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA18916 for firewalls-outgoing; Mon, 4 Aug 1997 17:51:36 -0700 (PDT) Received: from achilles.nikkei.co.jp (achilles.nikkei.co.jp [138.101.197.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA18870 for ; Mon, 4 Aug 1997 17:51:24 -0700 (PDT) Received: from penelope.nikkei.co.jp by achilles.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id JAA05779; Tue, 5 Aug 1997 09:51:51 +0900 (JST) Received: from bear.koto.nikkei.co.jp by penelope.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id JAA05359; Tue, 5 Aug 1997 09:53:50 +0900 (JST) Received: from saturn.koto.nikkei.co.jp by bear.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id JAA21807; Tue, 5 Aug 1997 09:52:16 +0900 Received: from saturn by saturn.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id JAA21151; Tue, 5 Aug 1997 09:51:48 +0900 (JST) Message-Id: <199708050051.JAA21151@saturn.koto.nikkei.co.jp> To: "Sergio Untiveros" Cc: firewalls@GreatCircle.COM Subject: Re: Need Information on firewalls In-reply-to: Your message of "Thu, 31 Jul 1997 09:46:15 GMT." <68DA0371B8B@mem.gob.pe> Date: Tue, 05 Aug 1997 09:51:48 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My Friends, we need a Firewall Products on the market (Hardware or > Software). > > What is FW1? > It's a packet-filter type gateway software working on Solaris (Sparc & i386), HP-UX and Win/NT. In detail, see http://wwww.checkpoint.com. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From owner-firewalls-outgoing Mon Aug 4 18:44:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA10540 for firewalls-outgoing; Mon, 4 Aug 1997 17:22:17 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA10277 for ; Mon, 4 Aug 1997 17:21:20 -0700 (PDT) Received: from wizard.infovia.com.gt by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id PAA02877; Mon, 4 Aug 1997 15:19:53 -0700 (PDT) Received: (from flopez@localhost) by wizard.infovia.com.gt (8.8.6/8.6.9) id QAA14318; Mon, 4 Aug 1997 16:17:59 -0500 From: Juan Francisco Lopez Message-Id: <199708042117.QAA14318@wizard.infovia.com.gt> Subject: Don't know where to ask :( To: darksead@3sheep.com (DarkSead) Date: Mon, 4 Aug 1997 16:17:57 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970804075317.008fd098@dakotacom.net> from "DarkSead" at Aug 4, 97 07:58:22 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody! My apologies beforehand if my question will go off the main issue of this list, I just don't know exactly where to ask. I work for an ISP, that now is looking for a way to send a message to our clients as soon as they get connected via modem (PPP). Does any of you know of a way to do this? Is there any shareware that does this already? We are using the radiusd.esva server to authenticate our users on a linux box (slackware v.2.30). Any help will be greatly appreciated! Fran Lopez IIDS Gautemala: From owner-firewalls-outgoing Mon Aug 4 19:11:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA02211 for firewalls-outgoing; Mon, 4 Aug 1997 13:59:59 -0700 (PDT) Received: from genesis.ixi.net (genesis.ixi.net [206.58.180.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA02172 for ; Mon, 4 Aug 1997 13:59:38 -0700 (PDT) Received: from ancddu02.ixi.net (ancddu02.ixi.net [206.58.34.129]) by genesis.ixi.net (8.8.5/8.7.1) with SMTP id OAA31981; Mon, 4 Aug 1997 14:55:27 -0600 Message-ID: <33E65092.323@ixi.net> Date: Mon, 04 Aug 1997 14:58:42 -0700 From: Christopher Ray Parrish Reply-To: rparish@ixi.net Organization: Secure Trade X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Mubashir Hasan Kazia CC: kgroup , Verna D Dick , Great Bend Tribune , Alan , "Bob522@aol.com" , "CHOYBOK@aol.com" , "firewalls@greatcircle.com" , "Visionprof@aol.com" , ZWH Subject: Re: [Fwd: [Fwd: Subject: good luck totem]] References: <33E3F2BA.745651B9@snowcrest.net> <33E55F34.421539D6@scsnoida.stpn.soft.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please quit sending this shit to me. I didn't originate this crap, and I resent being bombarded anew with complaints about shit I didn't send to begin with... Mubashir Hasan Kazia wrote: > > This is ridiculous. A firewall mailing list is used for propagating this > kind of superstition and irrelevant stuff. Such vandalism just makes the > whole system less useful to everybody. > > Please get it stopped > > Thanks > > Mubashir Hasan > S/W Engineer > SCS > NEPZ > India > > kgroup wrote: > > > > We need all the luck we can get, so here goes!!! > > > > --------------------------------------------------------------- > > > > Subject: [Fwd: Subject: good luck totem] > > Date: Tue, 29 Jul 1997 22:54:02 -0700 > > From: Risa Roberta Goldberg > > To: valdape@ix.netcom.com, kgroup@snowcrest.net, chezi369@aol.com, > > ndelaney@adnc.com, ffrey@acad.com, zdrgz@juno.com, katg@juno.com, > > rsgit@cts.com, MICKEVICH.MARY@NMNH.SI.EDU, NNewk@aol.com > > > > Subject: Subject: good luck totem > > Date: Tue, 29 Jul 1997 08:09:05 -0700 > > From: Marci Bunescu > > To: jtaylor@grossmont.k12.ca.us, mfj001@aol.com, "James, Pat" , > > gbunescu@signif.com, edbo@thorin.instanet.com, grassweb@ftel.net, > > risasplace@sprintmail.com, lglass@sbjrhigh.sbceo.k12.ca.us, > > darlacox@aol.com, tasegeal@aol.com > > > > > > > > > > >Hawaiian GOOD LUCK TOTEM > > > \\\|||/// > > > ========= > > > - | O O | > > > / \ \ @'/ > > > # _| |_ > > > (#) ( ) > > > #\//|* *|\\ > > > #\/( * )/ > > > # ===== > > > # (\|/) > > > # || || > > > .#.--'| |---.. > > > #'---' ----' > > > > > >This totem has been sent to you for good luck. It has been sent > > >around the world nine times so far. You will receive good luck > > >within four days of relaying this totem.. > > > > > >Send copies to people you think need good luck. Don't send money as > > >fate has no price. Do not keep this message.. > > > > > >The totem must leave your hands in 96 hours. Send ten copies and see > > >what happens in four days. You will get a surprise. This is true, > > >even if you are not superstitious.. > > > > > >Good luck, but please remember: 10 copies of this message must leave > > >your hands in 96 hours... You must not sign on message.... From owner-firewalls-outgoing Mon Aug 4 20:11:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA09987 for firewalls-outgoing; Mon, 4 Aug 1997 17:19:42 -0700 (PDT) Received: from siu.cen.buap.mx (siu.buap.mx [148.228.1.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA18621 for ; Mon, 4 Aug 1997 15:42:09 -0700 (PDT) Received: by siu.cen.buap.mx (5.x/SMI-SVR4) id AA00757; Mon, 4 Aug 1997 17:54:41 GMT Date: Mon, 4 Aug 1997 17:54:35 +0000 (GMT) From: DOMINGO VARELA YAHUITL X-Sender: ydomingo@siu.buap.mx To: "Erik A. Widholm" Cc: firewalls@GreatCircle.COM Subject: Change ports... In-Reply-To: <2.2.32.19970804175026.006f6390@mail.moody.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Erik: How can I change the ports of services of TELNET and FTP and that not have acces by the ports default, and that for input/output for TELNET and FTP can access by port 2223 and 2221 ... please you can helpme ... Thank very munch.. Domingo./ From owner-firewalls-outgoing Mon Aug 4 20:29:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA02241 for firewalls-outgoing; Mon, 4 Aug 1997 16:46:22 -0700 (PDT) Received: from www.ctrl-alt-del.COM (ctrl-alt-del.com [206.163.47.249]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA02234 for ; Mon, 4 Aug 1997 16:46:17 -0700 (PDT) Received: from localhost (alan@localhost) by www.ctrl-alt-del.COM (8.8.5/8.8.5) with SMTP id QAA03714; Mon, 4 Aug 1997 16:52:53 -0700 Date: Mon, 4 Aug 1997 16:52:53 -0700 (PDT) From: Alan To: Phil Cox cc: Dick_Wall@stratus.com, firewalls@GreatCircle.COM Subject: Re: Web Oriented Mail Clients In-Reply-To: <33E66936.1500290E@llnl.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 4 Aug 1997, Phil Cox wrote: > > Tell them to spend the $20/month and get an off-site e-mail account at a > > local ISP. Then forward their mail to that account. > > NO, don't do this, unless you want all your internal company mail > flowing cleartext across the internet. One solution, depending on your > client platform, is ssh & pop. With more specifics, it would be easier > to suggest a possible solution. Good point. I just have a problem with silly management requests... Most management types are using MS OS "solutions", so they are going to have a difficult time using SSH, unless it is set up for them. (And they are willing to spend the bucks for it.) I don't like launching it on the server, as it seems like it just opens another hole on the server... alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. From owner-firewalls-outgoing Mon Aug 4 20:29:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA21483 for firewalls-outgoing; Mon, 4 Aug 1997 16:00:55 -0700 (PDT) Received: from dfw-ix4.ix.netcom.com (dfw-ix4.ix.netcom.com [206.214.98.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA21435 for ; Mon, 4 Aug 1997 16:00:41 -0700 (PDT) From: webmaster@mars-cam.com Received: (from smap@localhost) by dfw-ix4.ix.netcom.com (8.8.4/8.8.4) id SAA01642 for ; Mon, 4 Aug 1997 18:01:37 -0500 (CDT) Date: Mon, 4 Aug 1997 18:01:37 -0500 (CDT) Message-Id: <199708042301.SAA01642@dfw-ix4.ix.netcom.com> Received: from lax-ca20-10.ix.netcom.com(204.31.253.74) by dfw-ix4.ix.netcom.com via smap (V1.3) id sma001615; Mon Aug 4 18:01:20 1997 To: firewalls@greatcircle.com Subject: Security Products Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message was designed to introduce new products to the CCTV & Video industry. If you wish to be removed from any future mailings, please reply with the subject "Remove" and this software will automatically block you from future mailings. Marshall Electronica, Inc., Culver City, CA USA - Has some unique security products for government security forces such as (Scotland Yard, KGB, FBI, CIA) & other special applications in the security or industrial video field. 1. Zoom pinhole lenses that adjust to any room size. 2. LCD monitors for mobile applications or compact monitoring stations 6.4" & 4" TFT in stock. 3. Miniature lipstick cameras with mount for mobile applications (police cars) 4. Miniature coax to send video signals up to 1000 ft. 5. Worlds First Single Chip NTSC/PAL CMOS Camera that draws only 20mA. Color versions available in September. (Can retail under 100 USD). Please see our website: http://www.mars-cam.com/optical.html Note: We are looking for distributors in most countries outside of USA. /////////////////////////////////////////////////////////////////////////////// This Message was Composed using Extractor Pro Bulk E- Mail Software. If you wish to be removed from this advertiser's future mailings, please reply with the subject "Remove" and this software will automatically block you from their future mailings. //////////////////////////////////////////////////////////////////////////////// From owner-firewalls-outgoing Mon Aug 4 21:03:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA01518 for firewalls-outgoing; Mon, 4 Aug 1997 16:41:01 -0700 (PDT) Received: from kadima.llnl.gov (kadima.llnl.gov [128.115.222.73]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA01501 for ; Mon, 4 Aug 1997 16:40:49 -0700 (PDT) Received: from kadima.llnl.gov (localhost [127.0.0.1]) by kadima.llnl.gov (8.8.5/8.8.5) with SMTP id QAA00732; Mon, 4 Aug 1997 16:43:50 -0700 Message-ID: <33E66936.1500290E@llnl.gov> Date: Mon, 04 Aug 1997 16:43:50 -0700 From: Phil Cox Organization: CIAC X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Alan CC: Dick_Wall@stratus.com, firewalls@GreatCircle.COM Subject: Re: Web Oriented Mail Clients References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan wrote: > > On Sat, 2 Aug 1997 Dick_Wall@stratus.com wrote: > > > The question is ... > > > > I'm getting approached by various groups in my company, that want to > > Is there a secure means for providing such email access? > > Yes. > > Tell them to spend the $20/month and get an off-site e-mail account at a > local ISP. Then forward their mail to that account. NO, don't do this, unless you want all your internal company mail flowing cleartext across the internet. One solution, depending on your client platform, is ssh & pop. With more specifics, it would be easier to suggest a possible solution. -- -Phil Philip Cox | Voice : (510)422-8564 Computer Incident Advisory Capability | E-Mail: pcc@llnl.gov Lawrence Livermore National Labs | WWW : http://ciac.llnl.gov From owner-firewalls-outgoing Mon Aug 4 21:42:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA01318 for firewalls-outgoing; Mon, 4 Aug 1997 16:38:27 -0700 (PDT) Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA01311 for ; Mon, 4 Aug 1997 16:38:19 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.8.5/8.8.5) with ESMTP id QAA12134 for ; Mon, 4 Aug 1997 16:06:03 -0700 (PDT) Received: from lord.mcom.com ([198.93.95.245]) by judge.mcom.com (Netscape Messaging Server 3.0) with ESMTP id AAA19186; Mon, 4 Aug 1997 16:06:02 -0700 Message-ID: <33E66056.24DD71C9@netscape.com> Date: Mon, 04 Aug 1997 18:05:58 -0500 From: William Burns Organization: Netscape Communications Corp. X-Mailer: Mozilla 4.01 [en] (Win95; U) MIME-Version: 1.0 To: joe CC: Cihan Subasi , Firewalls , Checkpoint Mailing List Subject: Re: [FW1] Installation of Failover Gateway in FW-1 3.0a... X-Priority: 3 (Normal) References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msA9F0B082EDA1AFA53C982FA7" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msA9F0B082EDA1AFA53C982FA7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello all....the way I solved this problem may be unique to our setup, but may be of some use to you. We had both firewalls' DMZ subnet attached to a common hub. Connected to that hub was all of our DMZ servers (mail, web, etc)...there were no routers between the DMZ servers and the two redundant firewalls. We are running all Solaris 2.5.1 in this scenario. In the July issue of UNIX review there was an article about routed and rdisc....that was exactly the trick I needed. On the primary firewall I changed a line in /etc/rc2.d/S69inet from /usr/sbin/in.rdisc -r to /usr/sbin/in.rdisc -r -p 10 -T 10 On the failover firewall I changed the same line to be /usr/sbin/in.rdisc -r -p 1 -T 10 The net effect is that each firewall will no activly advertise itself as having the "default route"; the primary firewall will have the highest preference so it will be used unless it stops advertising. The "-T 10" will cause them to advertise this "default route" packet every 10 seconds..the default was 600 seconds. I wanted no more than a 10 second latency between updates. So this handles advertising the routes... On the DMZ machine (also running Solaris 2.5.1) I removed /etc/defaultrouter and /etc/gateways files. I changed the line in /etc/rc2.d/S69inet from if [ -f /usr/sbin/in.rdisc ] && /usr/sbin/in.rdisc -s; then echo "starting router discovery." to if [ -f /usr/sbin/in.rdisc ] && /usr/sbin/in.rdisc -s -f; then echo "starting router discovery (forever)." so that the DMZ machines would never stop listening for router discovery packets (in the off chance that connections with both firewalls was broken). The end result: Now I can telnet into my web server and run "netstat -nr" in a loop and watch the default route automagically flip to the redundant firewall as soon as I kill the primary firewall. I didn't try hardcoding two default routes into /etc/defaultrouter -- it says you can do it, but I'm not sure how long it takes to switch over. Plus, I like the ability of not having to hard code ANY default route on my servers...makes installing them a lot easier. I don't know how well all the vendors support rdisc, it's an RFC supported protocol so bets are in its favor, but Solaris did and that's all I needed. I was also thinking of using routed or gated on the two firewalls and advertising routes as well....but I didn't see how to do it with routed and I wasn't sure I wanted to put another "unsupported" app on my firewall with gated. hope this helps, bill joe wrote: > Hello Cihan, > > I'll be trying this one soon too... RIP may be your only hope even > though > it is crude...(via gated with higher/lower preferences)..unless you > can > do router discovery with AIX boxes... too bad you are not using all > Sun > workstations...(IMHO) :) > > Im very interested to see if anyone else has done this or has a good > suggestion.. > > Cheers, > JP > > ================================================================== > Joseph J. Pyle - Network Consultant _ > E-Mail Solutions @ PYLE.COM "<(o)>" > ~ > joe@pyle.com - Its in the eye of the beholder > ================================================================== > > On Sat, 2 Aug 1997, Cihan Subasi wrote: > > > We installed the Failover Gateway to backup our FW-1 3.0a, looks > like > > everything is fine but I have a problem with the machines on DMZ > > interface...All our internet servers (other than firewall machines) > are > > running on a RS6000 with AIX 4.1.4 but in order to make them see > > Failover Gateway when master firewall dies we have to give a second > > default gateway to the AIXs, here is the problem looks like AIX do > not > > take a second default gateway with a higher metric...Anybody can > help me > > to solve the problem? > > > > Thanks, > > -- > > > > > **************************************************************************** > > > Cihan Subasi, > > Garanti Ticaret AS,Istanbul Turkey > > email:csubasi@garanti.com.tr tel: +902126570404 fax: > +902126570473 > > > **************************************************************************** > > > --------------msA9F0B082EDA1AFA53C982FA7 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIG+QYJKoZIhvcNAQcCoIIG6jCCBuYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BSswggJqMIIB06ADAgECAgIB1jANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzEsMCoG A1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xHDAaBgNVBAsTE0lu Zm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMTE3Jvb3RjYS5uZXRzY2FwZS5jb20wHhcNOTcw NTE2MjEyNDE4WhcNOTcxMTEyMjEyNDE4WjCBiTELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHU5l dHNjYXBlIENvbW11bmljYXRpb25zIENvcnAuMRYwFAYDVQQDEw1XaWxsaWFtIEJ1cm5zMSIw IAYJKoZIhvcNAQkBFhNzaGFkb3dAbmV0c2NhcGUuY29tMRYwFAYKCZImiZPyLGQBARMGc2hh ZG93MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMZZsawIXrb1TwdVM5s9Flp9T+PAHsPsi8ls xJE3bICnB4W3m0OOPHGwYv5/NUz5vmVRcaxoljWqWUmhWhsFrAkCAwEAAaM2MDQwEQYJYIZI AYb4QgEBBAQDAgCgMB8GA1UdIwQYMBaAFPzgVOgH8ZXeOveZxq76FQxuxC6SMA0GCSqGSIb3 DQEBBAUAA4GBAEGjXTzn1Ssq+uPn3W2E81Yh/wyZ8Eot9HWp3M7ZZRO2G8ysIcVpes+QR9VL NwQEZPufb2nyOIQowO/t3uNvdi6R9xjtsXwaiu6ccyt6uYmGEagCf6lDCBfknkTNYBtkTwVJ gdzHxpi569NlLcWan9fdBqBvhrX4tXgSC1ziscOiMIICuTCCAiKgAwIBAgIBATANBgkqhkiG 9w0BAQQFADB3MQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlv bnMgQ29ycG9yYXRpb24xHDAaBgNVBAsTE0luZm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMT E3Jvb3RjYS5uZXRzY2FwZS5jb20wHhcNOTcwMzI2MDE0NDM4WhcNOTkwMzI2MDE0NDM4WjB3 MQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9y YXRpb24xHDAaBgNVBAsTE0luZm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMTE3Jvb3RjYS5u ZXRzY2FwZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGqPv4tP6WHw0ff+9pt 2BigRT35x5tDzie0WhOcEX2/0vKIXse/sot5uqflKAtApo6ZMVXF+M6WBl4ihHa/ASJiw6mZ J7sIaBEUxwp+3LKH+MfgJDABvC2WhecZwy6hk3csNBgv+9+iSLPnoK96A+SLjHWkLZMgjCA5 VKdFukBlAgMBAAGjVTBTMBEGCWCGSAGG+EIBAQQEAwIABDAdBgNVHQ4EFgQU/OBU6Afxld46 95nGrvoVDG7ELpIwHwYDVR0jBBgwFoAU/OBU6Afxld4695nGrvoVDG7ELpIwDQYJKoZIhvcN AQEEBQADgYEAWffbG1x6BsTmxZhhhBjO+gZLILEkyvxZfj8Y8eS+rBDZStJpj278kcr1BBwK rrn6yjnsTQAZpmeUzOVAW1mEJJLwASwZ5AsvOxz2DxuFRezDl/HgukDL3VdxieCLSXBJH922 yzRvb88vIeRT0Rlmj2di8N3uHUgq8Ed7g3SHecgxggGWMIIBkgIBATB9MHcxCzAJBgNVBAYT AlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEcMBoG A1UECxMTSW5mb3JtYXRpb24gU3lzdGVtczEcMBoGA1UEAxMTcm9vdGNhLm5ldHNjYXBlLmNv bQICAdYwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMCMGCSqGSIb3 DQEJBDEWBBQQRVICPXPgVQLjIYeavXbdvyxQSjAcBgkqhkiG9w0BCQUxDxcNOTcwODA0MjMw NjAxWjBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUr DgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAwqXa xeely8Nbj/AidBYDfcPk5EVGeEnItkMwWQxXr4br4FLD1lDaJNEa6S7YDANJbhC+yTyg41Wn bOvE5fOt4Q== --------------msA9F0B082EDA1AFA53C982FA7-- From owner-firewalls-outgoing Mon Aug 4 23:14:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA29285 for firewalls-outgoing; Mon, 4 Aug 1997 18:34:07 -0700 (PDT) Received: from oi7230a.inaoep.mx (oi7230a.inaoep.mx [192.100.172.82]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA28973 for ; Mon, 4 Aug 1997 18:33:12 -0700 (PDT) Received: from localhost (root@localhost) by oi7230a.inaoep.mx (8.8.5/8.8.5) with SMTP id UAA07428; Mon, 4 Aug 1997 20:23:26 -0500 Date: Mon, 4 Aug 1997 20:23:24 -0500 (CDT) From: root To: John Schnizlein cc: darksead@3sheep.com, firewalls@greatcircle.com Subject: How Change the ports... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All: I be make a system of security with firewall, with FWTK TIS and the proxys as ftp and telnet use the ports defined by default the port 23 and 21, yet this port the use mi private net and all good the to go out, and now how I can access a my box from outside utilised other port for by example the por 2323 and 2121 for acces from outside a my box, herself good that not have access a the private net, yet if have access a my box... besides from my box have access a Internet via port 23 is correct... How the make... thank you Domingo V. From owner-firewalls-outgoing Mon Aug 4 23:44:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26581 for firewalls-outgoing; Mon, 4 Aug 1997 18:22:21 -0700 (PDT) Received: from achilles.nikkei.co.jp (achilles.nikkei.co.jp [138.101.197.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA26239 for ; Mon, 4 Aug 1997 18:20:52 -0700 (PDT) Received: from penelope.nikkei.co.jp by achilles.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id KAA06399; Tue, 5 Aug 1997 10:21:38 +0900 (JST) Received: from bear.koto.nikkei.co.jp by penelope.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id KAA06222; Tue, 5 Aug 1997 10:23:37 +0900 (JST) Received: from saturn.koto.nikkei.co.jp by bear.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id KAA26542; Tue, 5 Aug 1997 10:22:03 +0900 Received: from saturn by saturn.koto.nikkei.co.jp (8.8.5/8.8.5) with ESMTP id KAA21336; Tue, 5 Aug 1997 10:21:35 +0900 (JST) Message-Id: <199708050121.KAA21336@saturn.koto.nikkei.co.jp> To: "DarkSead (Nick)" Cc: firewalls@GreatCircle.COM Subject: Re: Routers and filtering In-reply-to: Your message of "Mon, 04 Aug 1997 06:49:33 MST." <3.0.32.19970804064427.009beaf8@dakotacom.net> Date: Tue, 05 Aug 1997 10:21:35 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for just a wee bit of information on providing some network > security at the routers (or so I'm advised.) Currently, I have a Cisco > 4700m which I would like to have do some packet filtering for our network. > Basically, my questions are: A) What type of security/policy can or should > be instated at a router. and B) does the 4700 have the capabilities to > provide any form of security/filtering? > > Also, the current Firewall admin at the company I work for, has implemented > a crude ipfwadm firewall built into a linux box to route incoming packets > to certain subnets as a form of security...Can the 4700 do this as well? > wa You could configure a filter to deny packets with certain source/destinateion addresses or ports on your CISCO router. What version of IOS do you use? If it were 11.0 or later, you would be able to keep certain level of security through the router. Anyway, you can build the packet-filter with access-group sub command of interface and access-list command. Please consult your manual. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From owner-firewalls-outgoing Mon Aug 4 23:51:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA28019 for firewalls-outgoing; Mon, 4 Aug 1997 18:29:29 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA26571 for ; Mon, 4 Aug 1997 18:22:16 -0700 (PDT) Received: from gatekeeper.nytimes.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id RAA07426; Mon, 4 Aug 1997 17:20:00 -0700 (PDT) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM) id AA27460; Mon, 4 Aug 1997 20:23:13 -0400 Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA27831; Mon, 4 Aug 1997 20:22:52 -0400 Date: Mon, 4 Aug 1997 20:22:52 -0400 (EDT) From: Gordy Thompson To: Rick Hardy Cc: greg@trade-a-plane.com, firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <3.0.3.32.19970804154329.009b59e0@rapid.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is possible, but not the only explanation: When one of these megaspams lets loose, it may send mail to lots of addresses at your site that are no longer valid (or never were, for that matter). But because these jokers work hard at hiding the true source of the mail, your mailer-daemon may not be able to send the bounce messages ("user unknown") back. In that case, the bounce messages (reading pretty much like what was originally quoted below) will probably wind up in your root mail spool. Happens to us all the time. On Mon, 4 Aug 1997, Rick Hardy wrote: > If you could post the entire message, with the original headers! If you > running Unix Sendmail dump the mail-q, sounds like SOMEONE is relaying SPAM > off your mail server! I just had the same happen to me! I had over 1000 > undelieverable messages in my queues! God knows how many messages went > out! It's fixed now though! > > > ==Rick== > > > At 08:02 AM 8/4/97 -0500, Greg Walker wrote: > >> > > > >Is this for real? I have been getting hundreds of error messages from > >our mail server at night with the following cotent: > > > > Your message was not delivered because the destination computer > >was > > not found. Carefully check that it was spelled correctly and try > > > > sending it again if there were any mistakes. > > > > Host spamco.com not found > > > > The following recipients did not receive this message: > > > > > > > > The original mail envelope addresses are: > > > > User-From: SMTP<> > > Recipient: [] > > > > > >Anybody have any ideas? > > > >Thanks, > > > >Greg Walker > >TAP Publishing Company > > -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. From owner-firewalls-outgoing Tue Aug 5 00:15:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA24971 for firewalls-outgoing; Mon, 4 Aug 1997 23:11:42 -0700 (PDT) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA24691 for ; Mon, 4 Aug 1997 23:10:40 -0700 (PDT) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id BAA27249; Tue, 5 Aug 1997 01:11:26 -0500 Date: Tue, 5 Aug 1997 01:11:11 -0500 (CDT) From: Ron DuFresne To: Greg Walker cc: firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <33E5D2D5.61AF05DD@trade-a-plane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This sort of spamming/mail bombing has been happening much more frequently. Those mailing lists one gets on that at least allow you to remove yourself a a tad less offensive, but, these types are the pits. Imagine the person that instead of spreading on 5,000 different addresses, hits a single address for some nasty reason. Try and trace that down to a source... Later, Ron DuFresne On Mon, 4 Aug 1997, Greg Walker wrote: > Ron DuFresne wrote: > > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > > origin of > > all email being sent out. Email Blaster can mask itself to look like > > it > > came from the recipients own host. This will help stop users from > > flaming > > your email box! > > > > Is this for real? I have been getting hundreds of error messages from > our mail server at night with the following cotent: > > Your message was not delivered because the destination computer > was > not found. Carefully check that it was spelled correctly and try > > sending it again if there were any mistakes. > > Host spamco.com not found > > The following recipients did not receive this message: > > > > The original mail envelope addresses are: > > User-From: SMTP<> > Recipient: [] > > > Anybody have any ideas? > > Thanks, > > Greg Walker > TAP Publishing Company > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From owner-firewalls-outgoing Tue Aug 5 00:59:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11869 for firewalls-outgoing; Tue, 5 Aug 1997 00:32:16 -0700 (PDT) Received: from mail.pixi.com (hoku.pixi.com [206.127.224.83]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA11605 for ; Tue, 5 Aug 1997 00:31:24 -0700 (PDT) Received: from www.sersol.com (www.sersol.com [206.127.255.227]) by mail.pixi.com (8.8.5/8.8.5/PIXI-5.2) with SMTP id VAA25516; Mon, 4 Aug 1997 21:32:12 -1000 (HST) Received: by www.sersol.com with Microsoft Mail id <01BCA11D.6D61C9E0@www.sersol.com>; Mon, 4 Aug 1997 21:29:02 -1000 Message-ID: <01BCA11D.6D61C9E0@www.sersol.com> From: "James D. Wilson" To: "firewalls@GreatCircle.COM" , "'Cuauhtemoc Zamudio Avila'" Subject: RE: [Fwd: [Fwd: Subject: good luck totem]]] Date: Mon, 4 Aug 1997 21:29:00 -1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it possible that the list could be moderated or authenticated, or at = least the latest sendmail with antispam tools installed at greatcircle? = 4 out of 5 spam messages I've been getting have been sent through this = list... - James D. Wilson netsurf@pixi.com http://www.pixi.com/~netsurf/ Support the Anti-spam amendment: http://www.cauce.org/ ---------- From: Cuauhtemoc Zamudio Avila Sent: Friday, August 01, 1997 8:52 PM To: firewalls@GreatCircle.COM Subject: [Re: [Fwd: [Fwd: Subject: good luck totem]]] Please, Don't send this kind of email, this ones just waste bandwith, we are already good lucking people, because we are a community of thinking people. don't disturb about it, i'm not trying to offend you kgroup. just don't use this kind of email, it's like email spam. Cuauhtemoc Zamudio Avila Technical Support=20 Enternet From owner-firewalls-outgoing Tue Aug 5 01:26:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA18224 for firewalls-outgoing; Tue, 5 Aug 1997 01:01:23 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA17995 for ; Tue, 5 Aug 1997 01:00:07 -0700 (PDT) Received: by fw4.tns.co.za; id KAA06262; Tue, 5 Aug 1997 10:00:51 +0200 (SAT) Message-Id: <199708050800.KAA06262@fw4.tns.co.za> Received: from unknown(89.0.5.63) by fw4.tns.co.za via smap (V3.1.1) id xma006130; Tue, 5 Aug 97 10:00:21 +0200 Reply-To: From: "Billy Verreynne" To: , "Martin C. Walker" Subject: Re: Security of IP to IPX internet gateway Date: Tue, 5 Aug 1997 09:58:27 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Martin C. Walker wrote: > I have a division who uses a novell ipx network internally. > They want to drop an ip to ipx gateway in place and use it to > connect to the internet (partially to avoid the cost of a firewall). > > They think they are secure from any hacking attempts, denial of > service or other issues because they are using IPX inside. Disregarding > the issue of whether IPX will die in a few years, are there any security > implications to their proposed setup ? Are there any IPX hacks which > can be used thru one of these gateways ? IPX is routable. I think that if you disable IPX routing via the firewall then no IPX could get into the network and it should be safe against IPX hacks. Ok, make that it "should be relatively safe". Depends on how the IP packets are converted back to IPX when the firewall/gateway passes inet IP back onto the IPX network. Maybe spoof IP packets with embedded IPX? A lot of effort though for such an attack and I'm not sure that such an IPX hack will work. As I said, relatively safe. :-) regards, Billy From owner-firewalls-outgoing Tue Aug 5 01:29:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA16420 for firewalls-outgoing; Tue, 5 Aug 1997 00:50:47 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA16397 for ; Tue, 5 Aug 1997 00:50:37 -0700 (PDT) Received: by fw4.tns.co.za; id JAA05055; Tue, 5 Aug 1997 09:50:50 +0200 (SAT) Message-Id: <199708050750.JAA05055@fw4.tns.co.za> Received: from unknown(89.0.5.63) by fw4.tns.co.za via smap (V3.1.1) id xma005016; Tue, 5 Aug 97 09:50:30 +0200 Reply-To: From: "Billy Verreynne" To: "Richard Pouncy" Cc: Subject: Re: Mail bombing made legal... Date: Tue, 5 Aug 1997 09:48:42 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A bit off topic, but anyway. :-) > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > > origin of > > all email being sent out. Email Blaster can mask itself to look like > > it > > came from the recipients own host. This will help stop users from > > flaming > > your email box! This is totally bullshit IMHO. You can trace the any e-mail back to the original SMTP server using the headers. Fake headers are usually easy to spot. When in doubt I use telnet to get into the SMPTP servers one at a time, up the sendmail stream, and then e-mail myself to see how a real header from that server looks like. The only problem I know is that some SMTP servers have errors in their config. They identify the wrong IP as the sender (I've seen some of them identifying another gateway instead of my IP). In such a case you probably can e-mail root or postmaster of that server and tell him to fix the sendmail config. In all other cases you should be able to identify the actual e-mail sender's IP address. If dynamic, use DIG to get the domain and go to InterNic and see who owns it. Now if I only had the time do this with all the spam I receive... On topic . I've read the Firewall FAQ, but would like to have a lot of technical detail. Any pointers? regards, Billy From owner-firewalls-outgoing Tue Aug 5 12:35:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA04667 for firewalls-outgoing; Tue, 5 Aug 1997 12:14:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA04496; Tue, 5 Aug 1997 12:14:12 -0700 (PDT) From: Dick_Wall@stratus.com Received: from mailhub.stratus.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA23384; Tue, 5 Aug 1997 10:57:38 -0700 (PDT) Received: from na2.stratus.com (na2.stratus.com [134.111.82.93]) by mailhub.stratus.com (8.8.5/8.8.2) with ESMTP id OAA26156; Tue, 5 Aug 1997 14:03:50 -0400 (EDT) Received: from (root@localhost) by na2.stratus.com (8.8.5/8.8.5) with SMTP id NAA26331; Tue, 5 Aug 1997 13:58:01 -0400 (EDT) X-OpenMail-Hops: 1 Date: Tue, 5 Aug 97 13:57:31 -0400 Message-Id: In-Reply-To: <3.0.32.19970804135929.006f8da8@brussels.cisco.com> Subject: Re: PPTP & FW-1 MIME-Version: 1.0 TO: evyncke@cisco.com, firewalls-owner@GreatCircle.COM CC: bc17684@90.deere.com, Beall_Linda/na2@na2.stratus.com, Eckler_Richard/na2@na2.stratus.com, Firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Content-Type: text/plain; charset=US-ASCII; name="Re:" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > PPTP is using: > - a modified GRE tunnel which lays directly on the top > of IP with protocol (I do not have right now the number of the > protocol but check in /etc/protocols for the right number) > - a TCP control session to port 5678 (on the PPTP 'server') which > is by the way a funny number ;-) Is it really 5678 ?? I was told that the port was really 1723. And that if I wanted to prevent my users from establishing PPTP sessions .. block outbound (towards the Internet) requests to TCP port 1723. Did I get some bad info ? Dick > > Also beware that PPTP is probably useful for you but do not > trust too much its security... > > -eric > > At 11:45 1/08/97 -0500, Bertrum Carroll wrote: > >I'm attempting to setup a FW-1 filter to support PPTP. > >I'm using FW-1 3.0a on Solaris. > > > >PPTP is not defined, how do I seutp a fitler just for PPTP not all IP? > > > >Thanks In Advance > >Bert Carroll > > > Eric Vyncke > Technical Consultant Cisco Systems Belgium SA/NV > Phone: +32-2-778.4677 Fax: +32-2-778.4300 > E-mail: evyncke@cisco.com Mobile: +32-75-312.458 > From owner-firewalls-outgoing Tue Aug 5 12:37:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA04079 for firewalls-outgoing; Tue, 5 Aug 1997 12:12:49 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA04062 for ; Tue, 5 Aug 1997 12:12:41 -0700 (PDT) Received: from cal052204.student.utwente.nl by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA23046; Tue, 5 Aug 1997 10:33:56 -0700 (PDT) Received: by cal052204.student.utwente.nl id <4138-17455>; Tue, 5 Aug 1997 19:13:33 +0200 Date: Tue, 5 Aug 1997 19:13:27 +0200 (CEST) From: Remco van de Meent X-Sender: remco@cal052204.student.utwente.nl To: Nick Simicich cc: Greg Walker , firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 4 Aug 1997, Nick Simicich wrote: : Yes, it is true. You need to change your SMTP server to stop relaying. : You may need to get a new version of sendmail. Looking at the mail Greg posted, he's using a Netscape Mailserver. Which doesn't support anti-relaying. :(( If anyone knows a solution to stop the abuse of Netscape Mailservers as a relay for spamming, please let me know. I already heard a 'solution' like: take another machine, and use Exim on that one. But 'take another machine' is out of the question at the moment :( Remco : : On Mon, 4 Aug 1997, Greg Walker wrote: : : > Date: Mon, 04 Aug 1997 08:02:13 -0500 : > From: Greg Walker : > To: firewalls@GreatCircle.COM : > Subject: Re: Mail bombing made legal... : > : > Ron DuFresne wrote: : > : > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the : > > origin of : > > all email being sent out. Email Blaster can mask itself to look like : > > it : > > came from the recipients own host. This will help stop users from : > > flaming : > > your email box! : > > : > : > Is this for real? I have been getting hundreds of error messages from : > our mail server at night with the following cotent: : > : > Your message was not delivered because the destination computer : > was : > not found. Carefully check that it was spelled correctly and try : > : > sending it again if there were any mistakes. : > : > Host spamco.com not found : > : > The following recipients did not receive this message: : > : > : > : > The original mail envelope addresses are: : > : > User-From: SMTP<> : > Recipient: [] : > : > : > Anybody have any ideas? : > : > Thanks, : > : > Greg Walker : > TAP Publishing Company : > : : Of course my password is the same as my pet's name. : My macaw's name was Q47pY!3, but I change it every 90 days. : Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com : http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! : -- // Remco van de Meent // email: remco@oloon.student.utwente.nl // www: http://oloon.student.utwente.nl // " Never make any mistaeks. " From owner-firewalls-outgoing Tue Aug 5 12:38:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA03115 for firewalls-outgoing; Tue, 5 Aug 1997 12:08:34 -0700 (PDT) Received: from siu.cen.buap.mx (siu.buap.mx [148.228.1.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA03108 for ; Tue, 5 Aug 1997 12:08:24 -0700 (PDT) Received: by siu.cen.buap.mx (5.x/SMI-SVR4) id AA03599; Tue, 5 Aug 1997 14:20:13 GMT Date: Tue, 5 Aug 1997 14:20:07 +0000 (GMT) From: DOMINGO VARELA YAHUITL X-Sender: ydomingo@siu.buap.mx To: William Burns Cc: joe , Cihan Subasi , Firewalls , Checkpoint Mailing List Subject: How change the ports.. In-Reply-To: <33E66056.24DD71C9@netscape.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all: I have a problem, cannot access from outside a my box, I have Install a Firewall with Linux and the services as the TELNET (tn-gw) and FTP (ftp-gw) using the ports defined by default 23 and 21, yet the other services standar TELNET and FTP want tha use other ports mmm by example for Input/Output ports 2121 and 2323 for telnet and ftp... where can I change this ports... someone of your can helpme please... mmm I used the FWTK TIS ... I down of www.tis.com .. thank hope you answer Domingo./ From owner-firewalls-outgoing Tue Aug 5 14:07:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA12960 for firewalls-outgoing; Tue, 5 Aug 1997 13:20:26 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA03644 for ; Tue, 5 Aug 1997 12:11:04 -0700 (PDT) Received: from dencbis94.twcable.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA23340; Tue, 5 Aug 1997 10:54:23 -0700 (PDT) Received: from denmisf01.twcable.com (denmisf01 [198.59.12.1]) by dencbis94.twcable.com (8.8.5/8.8.5) with ESMTP id LAA18460 for ; Tue, 5 Aug 1997 11:58:07 -0600 (MDT) Received: from denmisf01 (denmisf01 [198.59.12.1]) by denmisf01.twcable.com (8.8.5/8.8.5) with SMTP id LAA27387 for ; Tue, 5 Aug 1997 11:58:05 -0600 (MDT) Date: Tue, 5 Aug 1997 11:58:05 -0600 (MDT) From: mcwilkin X-Sender: mcwilkin@denmisf01 To: firewalls@GreatCircle.COM Subject: NT SMTP/BIND risks - int Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all- We recently had a request from one of our divisions to allow SMTP and BIND traffic to an NT box sitting on our internal network. We are completely NT ignorant. So, I thought I would start here before the research beings:) Our main concern is that we 'DO NOT' know what security risks are involved with NT and those services... If that box gets pounded on via some NT hole we run the risk of internal comprimise. We initialy suggested that they move the server to our DMZ but that wasn't received well. Or, they could set up another server that would then relay to the internal guy... Anyway - any comments, white papers, or NT security sites would be a great help. Thanks -------------------------------------------------------------------------- Michael C. Wilkinson | IS - Network Analyst | mcwilkin@twcable.com | 1-303-799-1200 x5773 | -------------------------------------------------------------------------- From owner-firewalls-outgoing Tue Aug 5 14:08:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA19205 for firewalls-outgoing; Tue, 5 Aug 1997 13:44:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18877 for ; Tue, 5 Aug 1997 13:43:25 -0700 (PDT) From: uskanbye@ibmmail.com Received: from ibmmail.COM by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA18570; Tue, 5 Aug 1997 05:36:13 -0700 (PDT) Message-Id: <199708051236.FAA18570@mycroft.GreatCircle.COM> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 7309; Tue, 05 Aug 97 08:40:05 EDT Date: Tue, 05 Aug 1997 08:40:01 EDT To: firewalls@GreatCircle.COM X-Sender-Info: Mitchell Ummel CSP CCP EMAIL:mummel@kdhe.state.ks.us Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Losing ARP table (and sleep!) w/Eagle Raptor NT 4.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for any insight into this problem. For the past several weeks, always during offpeak times (night), we're losing IP connectivity on our external FW interface. This problem has NEVER occurred during working hours. Rebooting the Compaq Proliant system always re-establishes communications. A sniffer trace during the problem, shows that the interface is inserted into the ring (at the MAC level) but even pings to that interface fail. The inside FW interface is always unaffected. Raptor logs and NT event viewer never shows anything significant at the time of failure. The sniffer trace doesn't show any malformed packets, or anything else suspicious (as far as we can tell). When I do ARP -a on NT during the problem, the ARP table is gone. After reboot, the ARP table looks fine. We're at NT 4.0 SP#3 on this system, with all latest Raptor patches applied. No changes in the FW or NT config occurred around the time this problem began. To troubleshoot, I've swapped out NIC cards, replaced the entire firewall with another system (running NT 4.0 with NO service packs, and base Raptor Eagle software), but the problem persists even with all these variables changing. Is there some NT vulnerability that's exposing us here? Denial of service attack (what would we look for, that could eat our ARP table?) Raptor NT firewall software bug? Any/all comments welcomed. Thanks! --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- --------------Landon State Office Building---------------- ------------------Phone (913) 296-5643-------------------- From owner-firewalls-outgoing Tue Aug 5 14:10:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA14778 for firewalls-outgoing; Tue, 5 Aug 1997 13:28:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA14601 for ; Tue, 5 Aug 1997 13:27:49 -0700 (PDT) Received: from gotham.mcny.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20698; Tue, 5 Aug 1997 07:38:20 -0700 (PDT) Received: from localhost (mcnyweb@localhost) by gotham.mcny.com (8.8.5/8.7.2) with SMTP id KAA09950 for ; Tue, 5 Aug 1997 10:41:26 -0400 (EDT) Date: Tue, 5 Aug 1997 10:41:26 -0400 (EDT) From: Media Connection To: firewalls@GreatCircle.COM Subject: Firewall Vendor Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are in the decision making process regarding our firewall vendor. We are going to select one vendor from a list of three. Does anyone have any strong feelings, one way or another, regarding their firewall? Thanks, Lou Person lperson@mcny.com From owner-firewalls-outgoing Tue Aug 5 14:12:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16344 for firewalls-outgoing; Tue, 5 Aug 1997 13:34:57 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA16109 for ; Tue, 5 Aug 1997 13:33:37 -0700 (PDT) Received: from pandora.gsionline.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20089; Tue, 5 Aug 1997 07:01:18 -0700 (PDT) Received: from pandora.gsionline.com by pandora.gsionline.com (NTMail 3.02.09) with ESMTP id ua166966 for ; Tue, 5 Aug 1997 10:01:38 -0400 Message-Id: <3.0.1.32.19970805095834.009a87b8@peter> X-Sender: nbk#204.254.209.2@peter X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 05 Aug 1997 09:58:34 -0400 To: From: Nick Keenan Subject: Re: Mail bombing made legal... Cc: firewalls@GreatCircle.COM In-Reply-To: <199708050750.JAA05055@fw4.tns.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >You can trace the any e-mail back to the >original SMTP server using the headers. Fake headers are usually easy to >spot. I think you're being a little Unix-centric. What if I have a Windows NT machine, and I load up NTmail (a SMTP server for NT), and I get an IP address from my favorite ISP -- perhaps aol.com, perhaps some small local operation -- and I start blasting out spam. How's anyone going to be able to trace that? From owner-firewalls-outgoing Tue Aug 5 14:13:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA15871 for firewalls-outgoing; Tue, 5 Aug 1997 13:32:40 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA15816 for ; Tue, 5 Aug 1997 13:32:27 -0700 (PDT) Received: from lms02.us1.ibm.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20511; Tue, 5 Aug 1997 07:28:44 -0700 (PDT) Received: from d04lms02.raleigh.ibm.com by lms02.us1.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA86030; Tue, 5 Aug 1997 14:36:38 GMT Received: by US.IBM.COM (Soft-Switch LMS 2.0) with snapi via D04AU008 id 5040200003893577; Tue, 5 Aug 1997 10:40:15 -0400 From: Tom Noonan To: Subject: Test participants Message-Id: <5040200003893577000002L072*@MHS> Date: Tue, 5 Aug 1997 10:40:15 -0400 Mime-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Wanted: Server administrators from the Research Triangle Park, NC area to evaluate IBM products at our site in RTP, NC. IBM will compensate your time with a $100 honorarium. The IBM Network Computing on Demand team is looking for server administrators to come to our Research Triangle Park, NC site for a 3 hour meeting to be held during the weeks of August 18th or 25th (date still to be determined) to participate in a design review of a server configuration product. Participants should have some experience with the configuration and administration of at least one of the following servers: * Domain Name System (DNS) * Dynamic Host Configuration Protocol (DHCP) * NFS * TIMED * TFTPD It would also be useful if participants have some insight into profile and application management and have input into the implementation of business policies for the administration of IT resources. The design review will demonstrate design and functions planned for the product and how we envision it will enable administrators to configure servers. Following this, we will discuss the design and how it will support your job responsibilities. We are looking for participants with at least 2 years of server configuration and administration experience. **If you are interested: ** If you are interested in participating in this design review, please fill out the questions below and send it to tnoonan@us.ibm.com. If you have questions. If you are interested in participating in such an activity, but will not be available for these particular sessions, please let me know so we can contact you for future sessions. We will have similar activities in the future. If you are not interested, but know of someone who may be, please have them call or write me. Thank you. Tom Noonan ----------------------------------------------------------------------------------------------------------------- ** Questionnaire - please fill this out and send back if you're interested ** Name: E-mail: Phone: Fax: Company: Job Title: Briefly list your experience with server configuration and administration, etc. (e.g., job responsibilities, tasks, etc.): How much experience do you have configuring and administering each of the following services: Very Much Some None DDNS ___ ___ ___ DHCP ___ ___ ___ NFS ___ ___ ___ TFTPD ___ ___ ___ TIMED ___ ___ ___ Other services? (name the server and the extent of your experience): Very Server Much Some None _______ ___ ___ ___ _______ ___ ___ ___ _______ ___ ___ ___ _______ ___ ___ ___ Y/N Do you have responsibility for users at your location (i.e., determine the clients and servers they have access to, administer their IDs and passwords, etc.)? If so, please elaborate. Y/N Please describe any responsibilities you may have regarding the deployment and administration of business policies that pertain to IT resources. Tom Noonan, TNOONAN@us.ibm.com IBM Software Solutions Human Factors & Usability From owner-firewalls-outgoing Tue Aug 5 15:07:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA25236 for firewalls-outgoing; Tue, 5 Aug 1997 14:26:02 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18747 for ; Tue, 5 Aug 1997 13:42:57 -0700 (PDT) From: mjmccann@connect.ie Received: from ook.connect.ie by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA17976; Tue, 5 Aug 1997 04:42:59 -0700 (PDT) Received: from localhost (d1-ppp-134.connect.ie [194.106.128.134]) by ook.connect.ie (8.8.6/.44/NR) with SMTP id MAA23024 for ; Tue, 5 Aug 1997 12:51:55 +0100 (BST) Message-Id: <3.0.2.16.19970805123614.30571452@pop.connect.ie> X-Sender: mjmccann@pop.connect.ie X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (16) Date: Tue, 05 Aug 1997 12:36:14 To: Firewalls Subject: Firewalls don't work Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wondering if Firewalls actually work, I decided to send an unsolicited E-mail to the Firewalls Mailing list with the words "Multi Level" in the text to clearly indicate a bulk mailing for an unsolicited product. 4 perons replied objecting (one even writing to my postmaster). 19 persons requested details of the product! Back to the drawing boards and a new type of filters, boys and girls. Kind regards Michael ====================================== One single piece of good news brightens the darkest day. Proverb ====================================== From owner-firewalls-outgoing Tue Aug 5 15:08:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA25459 for firewalls-outgoing; Tue, 5 Aug 1997 14:28:19 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA16142 for ; Tue, 5 Aug 1997 13:33:43 -0700 (PDT) Received: from bdc9000.pccmis.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20280; Tue, 5 Aug 1997 07:12:58 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCA186.CF1D6130@bdc9000.pccmis.com>; Tue, 5 Aug 1997 10:03:23 -0400 Message-ID: From: Chris Brenton Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Mail bombing made legal... Date: Tue, 5 Aug 1997 10:03:20 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ron DuFresne wrote: >=20 > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > > origin of > > all email being sent out. Email Blaster can mask itself to look=20 like > > it > > came from the recipients own host. This will help stop users from > > flaming > > your email box! > > >=20 > Is this for real? I have been getting hundreds of error messages=20 from =D8 our mail server at night with the following cotent: I'm on a few lists which accept postings only from list subscribers.=20 Spamming has dropped to near zero. Any chance of configuring this list=20 the same way? From owner-firewalls-outgoing Tue Aug 5 15:10:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA25355 for firewalls-outgoing; Tue, 5 Aug 1997 14:27:12 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18755 for ; Tue, 5 Aug 1997 13:42:59 -0700 (PDT) Received: from www.valuu.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA18438; Tue, 5 Aug 1997 05:28:14 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA244; Tue, 5 Aug 1997 08:34:28 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BCA179.BCB7AD00@fd.valuu.net>; Tue, 5 Aug 1997 08:29:48 -0400 Message-ID: <01BCA179.BCB7AD00@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'firewalls@GreatCircle.COM'" , "'Tom Noonan'" Subject: RE: Request for design evaluation participants Date: Tue, 5 Aug 1997 08:29:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey Tom, that was neat!! Are we talking contract or employment? Long term or short term? Salary scale? Shalom Beracha VeTova Rabbi Haim Cassorla ---------- From: Tom Noonan[SMTP:tnoonan@us.ibm.com] Sent: Monday, August 04, 1997 1:41 PM To: firewalls@GreatCircle.COM Subject: Request for design evaluation participants I'm somewhat new to this listserv. Can someone tell me the policy of this listserv for submitting a note to recruit participants for product design evaluations, etc.? Tom TNOONAN@us.ibm.com (919)254-4257: TL(444) IBM Software Solutions Human Factors & Usability From owner-firewalls-outgoing Tue Aug 5 15:12:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA25546 for firewalls-outgoing; Tue, 5 Aug 1997 14:29:26 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA16155 for ; Tue, 5 Aug 1997 13:33:45 -0700 (PDT) From: jim@coltano.stortek.com Received: from stortek.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA19521; Tue, 5 Aug 1997 06:34:12 -0700 (PDT) Received: from coltano.stortek.com (coltano.stortek.com [129.80.40.2]) by stortek.com (8.8.5/8.7.3) with ESMTP id HAA10490 for ; Tue, 5 Aug 1997 07:38:08 -0600 (MDT) Received: (from jim@localhost) by coltano.stortek.com (8.8.6/8.8.6) id HAA04403; Tue, 5 Aug 1997 07:38:07 -0600 (MDT) Date: Tue, 5 Aug 1997 07:38:07 -0600 (MDT) Message-Id: <199708051338.HAA04403@coltano.stortek.com> To: firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Billy Verreynne wrote: A bit off topic, but anyway. :-) This is totally bullshit IMHO. You can trace the any e-mail back to the original SMTP server using the headers. Fake headers are usually easy to spot. When in doubt I use telnet to get into the SMPTP servers one at a time, up the sendmail stream, and then e-mail myself to see how a real header from that server looks like. Yes, you can 'try' to trace these clowns with the headers, but more often than not it gets you nowhere. I have seen too many where the originating host is on a subnet that is firewalled, the host does not run an smtp daemon, or the host 'conveniently' claims all responses are to user unknown. And with so many picking arbitrary hosts as mailer relays, and then disappearing, where do you go? I have also seen too many using fictitious domain names, as well as using the private address spaces to further compound the problems. From owner-firewalls-outgoing Tue Aug 5 16:36:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA17012 for firewalls-outgoing; Tue, 5 Aug 1997 16:32:39 -0700 (PDT) Received: from odin.wf.net (odin.wf.net [208.129.168.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA16983 for ; Tue, 5 Aug 1997 16:32:32 -0700 (PDT) Received: from dpm1-3.wf.net (dpm1-3.wf.net [206.97.254.32]) by odin.wf.net (8.8.5/8.7.3) with SMTP id SAA09055 for ; Tue, 5 Aug 1997 18:57:59 -0500 (CDT) Received: by dpm1-3.wf.net with Microsoft Mail id <01BCA1CE.0E94D0E0@dpm1-3.wf.net>; Tue, 5 Aug 1997 18:33:23 -0500 Message-ID: <01BCA1CE.0E94D0E0@dpm1-3.wf.net> From: "Jay W. Kent" To: "firewalls-digest@GreatCircle.COM" Subject: Are firewalls for anyone on internet? Date: Tue, 5 Aug 1997 18:30:20 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Been on the net awhile. However, not a computer expert. The more I see the more vulnerable I feel. Are there products for the average person to use to protect his/her computer when on the internet? Are they windows-based? Thanks jaykent@wf.net From owner-firewalls-outgoing Tue Aug 5 16:37:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA07449 for firewalls-outgoing; Tue, 5 Aug 1997 15:28:05 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA07173 for ; Tue, 5 Aug 1997 15:27:18 -0700 (PDT) Received: from nwau.nw.mt.np.els-gms.att.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id DAA17570; Tue, 5 Aug 1997 03:55:36 -0700 (PDT) Date: Tue, 05 Aug 1997 06:19:00 +0000 From: LPTPOMEROY!LPTMAIL!msw0101@thebault.attmail.com (Internet Info) Received: from thebault by attmail; Tue Aug 5 10:59 GMT 1997 Subject: ANS Interlock To: firewalls@GreatCircle.COM ('firewalls@greatcircle.com') Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="_33e70791.63f0.0_nwaumail.att.net=_" Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > THIS IS A MESSAGE IN 'MIME' FORMAT. Your mail reader may not support MIME. > Some parts of this will be readable as plain text. > To see the rest, you may need to upgrade your mail reader. --_33e70791.63f0.0_nwaumail.att.net=_ Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hey Guys I am new to this list. I have been reading the past several digest issues of this newsgroup in hopes of finding good information on the ANS Interlock Firewall. I am looking for infomration other than the information given an http://www.ans.net. I am also looking for the advantages and disadvantages of the ANS Interlock Firewall. Can anyone help? Thanks --_33e70791.63f0.0_nwaumail.att.net=_ Content-Disposition: attachment; filename="WINMAIL.DAT" Content-Type: application/vnd.ms-tnef Content-Transfer-Encoding: base64 eJ8+IjUKAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5N aWNyb3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEADgAAAEFOUyBJbnRlcmxv Y2sArQQBBYADAA4AAADNBwgABQAGABMAKwACACcBASCAAwAOAAAAzQcIAAUABgAPAAAAAgD4 AAEJgAEAIQAAADg5MUMwNTQ4NTkwREQxMTFBNEMxMjhFMDAyQzEwMDAwAM0GAQSQBgCgAQAA AQAAAA0AAAADAAAwAgAAAAsADw4AAAAAAgH/DwEAAABaAAAAAAAAAABglGRgQbgBCAArK4op AADkLF0AZAAaAEAAGgAAABQAJ2ZpcmV3YWxsc0BncmVhdGNpcmNsZS5jb20nAGZpcmV3YWxs c0BncmVhdGNpcmNsZS5jb20AAAAeAAIwAQAAAAUAAABTTVRQAAAAAB4AAzABAAAAGgAAAGZp cmV3YWxsc0BncmVhdGNpcmNsZS5jb20AAAADABUMAQAAAAIB+Q8BAAAAUQAAAAAAAACBKx+k vqMQGZ1uAN0BD1QCAAABAGZpcmV3YWxsc0BncmVhdGNpcmNsZS5jb20AU01UUABmaXJld2Fs bHNAZ3JlYXRjaXJjbGUuY29tAAAAAAMA/g8GAAAAHgABMAEAAAAcAAAAJ2ZpcmV3YWxsc0Bn cmVhdGNpcmNsZS5jb20nAAIBCzABAAAAHwAAAFNNVFA6RklSRVdBTExTQEdSRUFUQ0lSQ0xF LkNPTQAAAwAAOQAAAAALAEA6AAAAAAIB9g8BAAAABAAAAAAAAALOWgEDkAYAxAIAABEAAAAL ACMAAQAAAAMAJgAAAAAACwApAAAAAAADADYAAAAAAEAAOQAgjLIXiaG8AR4AcAABAAAADgAA AEFOUyBJbnRlcmxvY2sAAAACAXEAAQAAABYAAAABvKGJF6lIBRyKDVkR0aTBKOACwQAAAAAD AAYQcLGblgMABxApAQAAHgAIEAEAAABlAAAASEVZR1VZU0lBTU5FV1RPVEhJU0xJU1RJSEFW RUJFRU5SRUFESU5HVEhFUEFTVFNFVkVSQUxESUdFU1RJU1NVRVNPRlRISVNORVdTR1JPVVBJ TkhPUEVTT0ZGSU5ESU5HR09PRAAAAAACAQkQAQAAAIEBAAB9AQAATwIAAExaRnUvmW4O/wAK AQ8CFQKkA+QF6wKDAFATA1QCAGNoCsBzZXTuMgYABsMCgzIDxgcTAoD+fQqACM8J2QKACoEN sQtgwG5nMTAzMwr7EvIBAdAgSGV5IEd1DHlzCoUKhUkgYW2kIG4H0XRvGgBoBADEIGwEAHQu IBlxEcBQdmUgYgnhIBTQYXpkC4BnGjEbUAqwGrAgqxHwG0ByB0AgG/BnB5DPBUAEAQpQBCBv Zho0GdE2cwnACGBwHbADoGhvmnAeBGYLgBvzZ28EcMsfQQIQcgDAdGkCIB4g0wOgHEJBTgXw SQIwBJBBFGBjayBGaRTQd50HQGwa0xmhFGBvaxwC+yEBINNtHRAhVBxBBcAaQOcDkRxCIOpn aRtAA6ADkYJoAkBwOi8vdyggei4AcS4Z0BrEGaEHQHPvGiAj+hxCG+B2AHABkB1x9ydxIMAb 8HMqqR4zIf8jCHZDA5EAcHkCIBtQGxBlqGxwPxisVCXhaxidBRPxADHgAAAAAwAQEAAAAAAD ABEQAAAAAEAABzDAu5FuiKG8AUAACDDAu5FuiKG8AR4APQABAAAAAQAAAAAAAAADAA00/TcA AGq4 --_33e70791.63f0.0_nwaumail.att.net=_-- From owner-firewalls-outgoing Tue Aug 5 16:39:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA25598 for firewalls-outgoing; Tue, 5 Aug 1997 14:30:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA14684 for ; Tue, 5 Aug 1997 13:28:02 -0700 (PDT) Received: from alpha2.curtin.edu.au by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20632; Tue, 5 Aug 1997 07:33:43 -0700 (PDT) Received: from rara22.curtin.edu.au (rara22.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IM3I93TER4DK82U7@alpha2.curtin.edu.au> for firewalls@GreatCircle.COM; Tue, 05 Aug 1997 22:40:34 +0800 Date: Tue, 05 Aug 1997 22:39:28 +0800 From: Bret Watson Subject: Best Practice? - internet + multiple RAS X-Sender: climbing@skuld.cage.curtin.edu.au To: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a client with a remote access problem. Basically they have a large number of semi-permanent ISDN lines as part of thier WAN as well as a number of modems for the more remote points. Added to that is the requirement for their IT people to have access from home and for the computer supplier to have access ( mainly dial out) for maintainence. Yes there's more! There is also plans for the marketing dept to have access remotely from clients premises and for clients to have access for account management. The core protocol on the LAN is TCP/IP. The IT people need complete access to the network, whilst most of the rest will only need access to the main CPU. The protocol used by the WAN offices is telnet. My question.... what is the best practice for this? Yours, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Tue Aug 5 16:40:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA25618 for firewalls-outgoing; Tue, 5 Aug 1997 14:30:54 -0700 (PDT) Received: from grtk (grtk.com [204.149.246.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA25596 for ; Tue, 5 Aug 1997 14:30:40 -0700 (PDT) Received: from challenger.grtk.com (challenger.grtk.com [150.1.10.32]) by grtk (8.6.9/8.6.9) with ESMTP id RAA01456 for ; Tue, 5 Aug 1997 17:49:14 -0400 Received: by challenger.grtk.com with Internet Mail Service (5.0.1457.3) id ; Tue, 5 Aug 1997 17:24:50 -0400 Message-ID: <5743F218BEC0D011825C0060B01AC1F60AFDB8@challenger.grtk.com> From: John Cross To: Firewalls@GreatCircle.COM Subject: Website to Fake email as a service Date: Tue, 5 Aug 1997 17:24:48 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What will they think of next. Yes, www.aprilfools.com will allow you to generate a fake email from anyone and send it to someone else as a "joke". It has a preconfigured form for its standard 'smut surfer' alerts and so forth, but it is totally editable, so you can send anything you want. My CFO received a message from the head of HR warning him about his Internet surfing habits. Needless to say, the wording and so forth was not well received. Well, for list content, how can I track who initiated the mail message? I tracked the headers back to the mail server of the www.aprilfools.com site, and contacted the administrator there. He was actually helpful and gave me the IP address of the browser that initiated the mail form. Anyone know how I can take that IP address and trace it back to a source domain? I can ping the address, but I don't know how to do a reverse lookup on IP to get a domain name so I can contact that administrator to track the address further. (Someone mentioned DIG, but I have no idea what that is) Also, anyone have suggestions for protecting my uneducated users from further spoofed mail? Thanks, John From owner-firewalls-outgoing Tue Aug 5 16:41:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA24261 for firewalls-outgoing; Tue, 5 Aug 1997 14:22:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA18729 for ; Tue, 5 Aug 1997 13:42:55 -0700 (PDT) Received: from relay.nswc.navy.mil by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA17993; Tue, 5 Aug 1997 04:45:52 -0700 (PDT) Received: from joatmon (joatmon.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA20083; Tue, 5 Aug 97 07:49:54 EDT Received: by joatmon (4.1/SMI-4.1) id AA16310; Tue, 5 Aug 97 07:49:45 EDT Date: Tue, 5 Aug 97 07:49:45 EDT From: snorthc@nswc.navy.mil (Stephen Northcutt - CD2S) Message-Id: <9708051149.AA16310@joatmon> To: Firewalls@GreatCircle.COM Subject: Re: PPTP & FW-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'm attempting to setup a FW-1 filter to support PPTP. >I'm using FW-1 3.0a on Solaris. > >PPTP is not defined, how do I seutp a fitler just for PPTP not all IP? > >Thanks In Advance >Bert Carroll Hmmm, we did this in class last week, its not as GUI as one might think! Try: Define service pptp TCP 5678 "control" Define service, other, match IP_P = 47 Define service, other match IP_P = 47, ([20:2, b]) & 0xEF7F = 0x2001, [22:2, b] = 0x800 Maybe that will get you close :) From owner-firewalls-outgoing Tue Aug 5 16:42:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA00818 for firewalls-outgoing; Tue, 5 Aug 1997 14:55:17 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA24561 for ; Tue, 5 Aug 1997 14:23:07 -0700 (PDT) Received: from europa.lif.icnet.uk by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id CAA16421; Tue, 5 Aug 1997 02:41:17 -0700 (PDT) Received: from skippy.lif.icnet.uk by europa.lif.icnet.uk with SMTP(5.65v3.0/6.2); Tue, 5 Aug 1997 10:43:07 +0100 X-Sender: wright@icrf.icnet.uk Message-Id: In-Reply-To: References: <33E5D2D5.61AF05DD@trade-a-plane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 5 Aug 1997 10:43:03 +0100 To: firewalls@GreatCircle.COM From: Mike Wright Subject: Re: Mail bombing made legal... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:48 pm +0100 4/8/97, Richard Pouncy wrote: >Yes, I have been fighting this type of shit for sometime now. What they >are doing is bounding the mail off sites like earthlink or at&t >to delivery the mail to your system. So rather than send the spam themselves, they relay it through another (innocent) service provider's machine and make that machine do all the hard work for them clogging up their mail queues. This basically amounts to theft of services - CPU time and bandwidth. Mike Wright, Network Support, Phone 0171 269 3618. From owner-firewalls-outgoing Tue Aug 5 16:44:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA29990 for firewalls-outgoing; Tue, 5 Aug 1997 14:52:35 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA24567 for ; Tue, 5 Aug 1997 14:23:09 -0700 (PDT) Received: from adams.iclnet.co.uk by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id DAA17300; Tue, 5 Aug 1997 03:33:20 -0700 (PDT) Received: from mjonesnb (braconnect67.icl.net [194.176.196.67]) by adams.iclnet.co.uk (8.8.3/8.6.9) with SMTP id LAA25910; Tue, 5 Aug 1997 11:35:35 -0100 (GMT) Message-ID: <33E702AA.10C@iclnet.co.uk> Date: Tue, 05 Aug 1997 11:38:34 +0100 From: x Reply-To: markj@iclnet.co.uk X-Mailer: Mozilla 3.01C (Win95; I) MIME-Version: 1.0 To: Bertrum Carroll CC: "Firewalls@GreatCircle.COM" , "fw-1-mailinglist@us.checkpoint.com" Subject: Re: [FW1] PPTP & FW-1 References: <33E212A8.DF93D35F@90.deere.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bertrum Carroll wrote: > > I'm attempting to setup a FW-1 filter to support PPTP. > I'm using FW-1 3.0a on Solaris. > > PPTP is not defined, how do I seutp a fitler just for PPTP not all IP? > > Thanks In Advance > Bert Carroll ***************************** Bert, I've got exactly the same issue. Any information on running or proof of somebody running PPTP through Solaris FW-1 V3 would be useful. Cheers ...... Mark Jones UK From owner-firewalls-outgoing Tue Aug 5 16:46:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26044 for firewalls-outgoing; Tue, 5 Aug 1997 14:33:39 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA14691 for ; Tue, 5 Aug 1997 13:28:03 -0700 (PDT) Received: from snmpmgr.state.tn.us by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20898; Tue, 5 Aug 1997 07:52:36 -0700 (PDT) Received: from langate.tnet.state.tn.us by snmpmgr.state.tn.us with SMTP id AA08847 (5.67b/IDA-1.5 for ); Tue, 5 Aug 1997 09:55:57 -0500 Received: from tn01-Message_Server by langate.tnet.state.tn.us with Novell_GroupWise; Mon, 04 Aug 1997 10:41:51 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 04 Aug 1997 10:41:02 -0500 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Cc: mhorn@funb.com Subject: Re: Bloomberg -Reply -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** Does the Open Bloomberg controller function like a firewall? Does it preclude any direct traffic between the customer network and the Bloomberg networks? Does the Bloomberg controller mediate communication between Bloomberg and the customers? What measures are appropriate to guard this connection and protect the internal network? How confident are you that the Bloomberg controller can be trusted to not route IP traffic? Sam >>> "Mark Horn [ Net Ops ]" 16:35 31 Jul1997 >>> [snip] Actually, it's the Open Bloomberg controller operates as the client. The Open Bloomberg software running on the PC is the server. In other words, the Open Bloomberg controller initiates connections to the software running on the PC. If the PC software isn't running, this connection fails. The controller waits a while and then tries again. When the software on the PC is running, the connection will succeed the PC software can communicate with the controller. -- Mark Horn PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Tue Aug 5 16:48:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26118 for firewalls-outgoing; Tue, 5 Aug 1997 14:35:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA14698 for ; Tue, 5 Aug 1997 13:28:05 -0700 (PDT) From: GABRIEL_TORRES@Non-HP-LatinAmerica-om1.om.hp.com Received: from palrel3.hp.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id HAA20846; Tue, 5 Aug 1997 07:46:39 -0700 (PDT) Received: from i3125om6.atl.hp.com (i3125om6.atl.hp.com [15.45.88.75]) by palrel3.hp.com (8.8.5/8.8.5) with ESMTP id HAA07890 for ; Tue, 5 Aug 1997 07:50:41 -0700 (PDT) Received: from localhost (root@localhost) by i3125om6.atl.hp.com with SMTP (8.7.1/8.7.3 TIS 5.0 Openmail) id KAA12369 for firewalls@greatcircle.com; Tue, 5 Aug 1997 10:51:46 -0400 (EDT) X-OpenMail-Hops: 1 Date: Tue, 5 Aug 97 10:51:34 -0400 Message-Id: Subject: MIME-Version: 1.0 TO: firewalls@GreatCircle.COM Content-Type: multipart/alternative; boundary=openmail-part-05e2cd66-00000002 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --openmail-part-05e2cd66-00000002 Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: attachment Content-Transfer-Encoding: quoted-printable remove --openmail-part-05e2cd66-00000002 Content-Type: application/rtf Content-Disposition: attachment Content-Transfer-Encoding: base64 e1xydGYxXGFuc2lcZGVmZjB7XGZvbnR0Ymx7XGYwXGZyb21hbiBUbXMgUm1uO317XGYxXGZy b21hbiBDb3VyaWVyIE5ldzt9fXtcY29sb3J0YmxccmVkMFxncmVlbjBcYmx1ZTA7XHJlZDBc Z3JlZW4wXGJsdWUyNTU7XHJlZDBcZ3JlZW4yNTVcYmx1ZTI1NTtccmVkMFxncmVlbjI1NVxi bHVlMDtccmVkMjU1XGdyZWVuMFxibHVlMjU1O1xyZWQyNTVcZ3JlZW4wXGJsdWUwO1xyZWQy NTVcZ3JlZW4yNTVcYmx1ZTA7XHJlZDI1NVxncmVlbjI1NVxibHVlMjU1O1xyZWQwXGdyZWVu MFxibHVlMTI3O1xyZWQwXGdyZWVuMTI3XGJsdWUxMjc7XHJlZDBcZ3JlZW4xMjdcYmx1ZTA7 XHJlZDEyN1xncmVlbjBcYmx1ZTEyNztccmVkMTI3XGdyZWVuMFxibHVlMDtccmVkMTI3XGdy ZWVuMTI3XGJsdWUwO1xyZWQxMjdcZ3JlZW4xMjdcYmx1ZTEyNztccmVkMTkyXGdyZWVuMTky XGJsdWUxOTJ9e1xpbmZve1xjcmVhdGltXHlyMTk5N1xtbzhcZHk1XGhyOVxtaW41NFxzZWM3 fXtcdmVyc2lvbjF9e1x2ZXJuMTk3OTg1fX1ccGFwZXJ3MTIyNDBccGFwZXJoMTU4NDBcbWFy Z2w3MjBcbWFyZ3IyNzc2XG1hcmd0MTQ0MFxtYXJnYjE0NDBcZGVmdGFiNzIwXHBhcmRccWxc bGkwXGZpMFxyaTg4e1xmMVxmczIwXGNmMFx1cDBcZG4wIHJlbW92ZX19 --openmail-part-05e2cd66-00000002-- From owner-firewalls-outgoing Tue Aug 5 16:49:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26168 for firewalls-outgoing; Tue, 5 Aug 1997 14:36:22 -0700 (PDT) Received: from grtk (grtk.com [204.149.246.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA26158 for ; Tue, 5 Aug 1997 14:36:10 -0700 (PDT) Received: from challenger.grtk.com (challenger.grtk.com [150.1.10.32]) by grtk (8.6.9/8.6.9) with ESMTP id RAA01464 for ; Tue, 5 Aug 1997 17:54:54 -0400 Received: by challenger.grtk.com with Internet Mail Service (5.0.1457.3) id ; Tue, 5 Aug 1997 17:30:29 -0400 Message-ID: <5743F218BEC0D011825C0060B01AC1F60AFDB9@challenger.grtk.com> From: John Cross To: Firewalls@GreatCircle.COM Cc: Dick_Wall@stratus.com Subject: RE: Web Oriented Mail Clients Date: Tue, 5 Aug 1997 17:30:26 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, if your looking for a specific platform, MS Exchange does support the functionality using SSL. Also, some of the larger firewalls support an access client that allows users to come in through the internet from the outside. These usually use a synced password that changes after each use. ---------- From: Ryan Russell/SYBASE[SMTP:Ryan.Russell@sybase.com] Sent: Monday, August 04, 1997 8:36 AM To: Dick_Wall Cc: firewalls Subject: Re: Web Oriented Mail Clients This is a limited form of VPN. A good 128-bit SSL client will take care of the encryption piece handily. You still need to worry about authentication though. Encryption can't keep users from mismanaging passwords. You might consider authentication tokens. Ryan ---------- Previous Message ---------- To: firewalls cc: From: Dick_Wall@stratus.com @ smtp Date: 08/02/97 03:25:21 PM Subject: Web Oriented Mail Clients Hello all .. I appologize if I'm asking a question that has been recently discussed .. I've been off the list for a while and have missed recent dialogues. The question is ... I'm getting approached by various groups in my company, that want to use Web oriented email clients, to access our email servers. That is, they want to use the clients from the Internet points, to access servers on the trusted/internal side of our network. They'd like us therefore, to allow http access through the firewall. We don't allow that now, and I don't plan to allow it in the future. Is there a secure means for providing such email access? Dick From owner-firewalls-outgoing Tue Aug 5 16:50:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26178 for firewalls-outgoing; Tue, 5 Aug 1997 14:37:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21144 for ; Tue, 5 Aug 1997 13:50:33 -0700 (PDT) Received: from rameses.radium.ncsc.mil by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA18215; Tue, 5 Aug 1997 04:59:21 -0700 (PDT) Received: from rameses.radium.ncsc.mil (root@localhost) by rameses.radium.ncsc.mil (8.7.5/8.7.3) with ESMTP id IAA16014 for ; Tue, 5 Aug 1997 08:03:54 -0400 (EDT) Received: from zonker. (zonker.radium.ncsc.mil [144.51.136.9]) by rameses.radium.ncsc.mil (8.7.5/8.7.3) with SMTP id IAA16010 for ; Tue, 5 Aug 1997 08:03:53 -0400 (EDT) Received: from fosters.radium.ncsc.mil by zonker. (SMI-8.6/SMI-SVR4) id IAA16263; Tue, 5 Aug 1997 08:02:41 -0400 Message-ID: <33E71677.7C2B@radium.ncsc.mil> Date: Tue, 05 Aug 1997 08:03:03 -0400 From: Patrick Belliotti Reply-To: pbelliot@radium.ncsc.mil X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Web Oriented Mail Clients Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dick Wall wrote: > From: Dick_Wall@stratus.com @ smtp > Subject: Web Oriented Mail Clients > I'm getting approached by various groups in my company, that want to > use Web oriented email clients, to access our email servers. That is, > they want to use the clients from the Internet points, to access servers > on the trusted/internal side of our network. They'd like us therefore, > to allow http access through the firewall. We don't allow that now, and > I don't plan to allow it in the future. > > Is there a secure means for providing such email access? > > Dick Someone else pointed out you could forward their mail to some external mailbox, say at their ISP. I never liked that idea as internal mail that would never need to hit the Inet that might contain proprietary/sensitive information then actually does hit the Inet and becomes vulnerable. Also, I know Gauntlet's Internet Firewall allows an authenticated version of their http-gw web proxy (called ahttp-gw). But it only uses simple user/password authentication and that (and the mail/web traffic they retrieve from your trusted side) traverses the wire in the clear. It's a little better than just letting the whole world in, though. There is a way to VERY securely retrieve mail (or do any other TCP, like send mail via the private mailhub, telnet, intra-net www, ftp, etc.), or do web based mail for that matter, through an encryption/authentication server at your perimeter (a dual-homed gateway, usually, either in parallel to your firewall or on the same box). V-ONE makes one such product, called SmartGate. (http://www.v-one.com) I've worked with that one quite a bit, as I used to work at V-ONE. I'm not familiar with any others or even if there are others--there weren't really any competing products last I knew, though. Essentially the user has a private key which the SG server shares. They use that key to authenticate to one another and then generate a session key to encrypt the actual TCP session (retrieving the mail) using 56 bit DES encryption. The key can actually be stored on a smartcard, which makes the system that much more secure--the other option is keeping the key on the hard drive or a floppy, which makes it more vulnerable to people duplicating it without the user's knowledge. The SG server can be BSD/OS, Solaris, Sun/OS, HP/UX, and I think they have an NT version (which because it's NT I wouldn't trust to hold my door open, let alone my network closed :). The client side of the SG (they call that side of it SmartPass, now) is only Windows based right now. -- Patrick Belliotti Content of this is all my idea, and not necessarily accurate or factual. From owner-firewalls-outgoing Tue Aug 5 16:54:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA26282 for firewalls-outgoing; Tue, 5 Aug 1997 14:39:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA14454 for ; Tue, 5 Aug 1997 13:27:14 -0700 (PDT) From: mikech@avana.net Received: from iproute.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id IAA21402; Tue, 5 Aug 1997 08:34:12 -0700 (PDT) Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id LAA20257; Tue, 5 Aug 1997 11:37:53 -0400 Date: Tue, 5 Aug 1997 10:53:10 -0500 Subject: Re: Web Oriented Mail Clients To: Dick_Wall@stratus.com, firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: Dick_Wall@stratus.com Subject: Web Oriented Mail Clients Date: Sat, 2 Aug 97 15:25:21 -0400 To: firewalls@GreatCircle.COM > Hello all .. > > I appologize if I'm asking a question that has been recently discussed > .. I've been off the list for a while and have missed recent dialogues. > > The question is ... > > I'm getting approached by various groups in my company, that want to > use Web oriented email clients, to access our email servers. That is, > they want to use the clients from the Internet points, to access servers > on the trusted/internal side of our network. They'd like us therefore, > to allow http access through the firewall. We don't allow that now, and > I don't plan to allow it in the future. > > Is there a secure means for providing such email access? > > Dick > > ---------------End of Original Message----------------- My company has a product available that may solve your needs. It is a Perl-CGI application that runs under your web server. It allows you to read your messages from multiple POP mail accounts and work with them from one web client application. When you log in the first time you enter your pop mail addresses and passwords to access them on a setup screen. joebob@popmail.com password billybob@2nd.popmail.com 2ndpassword ... You can perform most of the e-mail functions available from an app like Eudora such as reply, reply all, forward, spell check, attach mime and uuencoded attachments, download or view incoming attachments, store messages in folders, filter and forward, etc. It can be run under an SSL enabled web server to encrypt the traffic over the net. You can also use any other authentication methods (OPIE, Secure Token) that will work between your web server and clients. You still have to open a hole in your Firewall (unless you just want to allow POP and SMTP in/out and put your Web Mail Server on your DMZ or the outside). It doesn't use frames or Java, just tables. It can be run under just about any web client out there. It does store copies of the mail on the web server while you work with them or if you move them to folders. It is nice because you can still work with mail from other access methods because you only work with *copies* of the mail. A message is only deleted on the server once you delete it from the web mail interface. One thing you want to make sure of is that your clients use the log-off button so that someone can't use the "back" button to read their mail. If they are on a public web browser they need to clear the cache as well. We also sell a companion Web-NNTP gateway that allows users to read/post, attach, view in-line images, etc. from a web browser. This allows people to access Usenet-style News discussion groups from any web client. It can also be used on a SSL enabled server to secure and encrypt each session. I hope this helps, Mike -- 10:53:11 08/05/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Tue Aug 5 17:25:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA20078 for firewalls-outgoing; Tue, 5 Aug 1997 17:09:34 -0700 (PDT) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA20057 for ; Tue, 5 Aug 1997 17:09:21 -0700 (PDT) Received: from jbahel.pr.mcs.net (jbahel.pr.mcs.net [204.137.244.37]) by Mailbox.mcs.com (8.8.5/8.8.2) with SMTP id TAA09594; Tue, 5 Aug 1997 19:09:58 -0500 (CDT) Received: by jbahel.pr.mcs.net with Microsoft Mail id <01BCA1D2.9151EA00@jbahel.pr.mcs.net>; Tue, 5 Aug 1997 19:05:41 -0500 Message-ID: <01BCA1D2.9151EA00@jbahel.pr.mcs.net> From: Jay Bahel To: "'DarkSead (Nick)'" , "'Stackpole, Bill'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Routers and filtering Date: Tue, 5 Aug 1997 18:17:32 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seems to me that Cisco is offering a large portion of firewalling = capability within their routers, including anti-spoofing capability. = What functionality do you miss in a Cisco Router (with packet filtering) = versus an industry standard firewall (i.e. CheckPoint or Eagle)? -Jay ---------- From: Stackpole, Bill Sent: Monday, August 04, 1997 2:21 PM To: 'DarkSead (Nick)' Cc: 'firewalls@greatcircle.com' Subject: RE: Routers and filtering Depending on the version of software the 4700 is running. You can filter on source and destination address source and destination service ports, ICMP messages, as well as packet type (tcp,udp,icmp,egp,etc). Cisco's can also do NAT. I recommend getting Cisco's paper on IP security. It has good examples and configuration recommendation. It's available from www.cisco.com. It's not a proxy server but (in my opinion) it can get you 80-90% of the protection you need. =20 "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP =20 Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: DarkSead (Nick) [SMTP:darksead@3sheep.com] > Sent: Monday, August 04, 1997 6:50 AM > To: firewalls@greatcircle.com > Subject: Routers and filtering >=20 > I am looking for just a wee bit of information on providing some > network > security at the routers (or so I'm advised.) Currently, I have a Cisco > 4700m which I would like to have do some packet filtering for our > network. > Basically, my questions are: A) What type of security/policy can or > should > be instated at a router. and B) does the 4700 have the capabilities to > provide any form of security/filtering? >=20 > Also, the current Firewall admin at the company I work for, has > implemented > a crude ipfwadm firewall built into a linux box to route incoming > packets > to certain subnets as a form of security...Can the 4700 do this as > well? > wa From owner-firewalls-outgoing Tue Aug 5 19:10:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA23331 for firewalls-outgoing; Tue, 5 Aug 1997 17:43:21 -0700 (PDT) Received: from i-2000.com (i-2000.com [204.97.92.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA23264 for ; Tue, 5 Aug 1997 17:43:07 -0700 (PDT) From: edpaudit@i-2000.com Received: from [206.231.224.246] (edpaudit.dh.i-2000.com [206.231.224.246]) by i-2000.com (8.8.5/8.7) with SMTP id UAA06652 for ; Tue, 5 Aug 1997 20:43:52 -0400 (EDT) Date: Tue, 5 Aug 1997 20:43:52 -0400 (EDT) Message-Id: <199708060043.UAA06652@i-2000.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: firewall budget & price To: firewalls-digest@GreatCircle.COM X-Mailer: SPRY Mail Version: 04.10.06.22 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My security administrator and I (I am the EDP auditor) are trying to figure out how much to budget for a very good firewall for next year. Does anyone have any Guesstimates on how much one should budget for the better packages. Any comments would be helpful. Jeffrey Loewenstein edpaudit@i-2000.com From owner-firewalls-outgoing Tue Aug 5 19:17:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA22892 for firewalls-outgoing; Tue, 5 Aug 1997 17:40:33 -0700 (PDT) Received: from ritig1.rit.reuters.com (ritig1.rit.reuters.com [199.171.195.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA22885 for ; Tue, 5 Aug 1997 17:40:24 -0700 (PDT) Received: from ritig6.rit.reuters.com by ritig1.rit.reuters.com; (5.65v3.2/1.1.8.2/14Sep94-0947PM) id AA27181; Tue, 5 Aug 1997 20:40:17 -0400 Received: from RITIG4.rit.reuters.com (132.10.10.44) by ritig6.rit.reuters.com (Integralis SMTPRS 1.51) with SMTP id ; Tue, 05 Aug 1997 17:19:41 -0400 Received: from mr.rit.reuters.com by RITIG4.RIT.REUTERS.COM (PMDF V5.1-8 #7805) id <01IM3728AZ1S0012YE@RITIG4.RIT.REUTERS.COM> for firewalls@greatcircle.com; Tue, 5 Aug 1997 17:21:07 EDT Received: with PMDF-MR; Tue, 05 Aug 1997 20:48:01 +0000 (GMT) Mr-Received: by mta RIT1; Relayed; Tue, 05 Aug 1997 20:48:01 +0000 Mr-Received: by mta RITIG4; Relayed; Tue, 05 Aug 1997 22:20:08 +0000 Alternate-Recipient: prohibited Date: Tue, 05 Aug 1997 19:43:49 +0000 (GMT) From: "Jeffrey Auerbach [516] 233-6668" Subject: FW-1 3.0a on SunOS 4.1.4 To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Posting-Date: Tue, 05 Aug 1997 19:44:01 +0000 (GMT) Importance: normal Sensitivity: Company-Confidential Ua-Content-Id: E22IYR3DPGG X400-Mts-Identifier: [;10840250807991/2745401@RIT] A1-Type: MAIL Hop-Count: 2 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone had a problem using an installed 3.0a eval license on a SunOS 4.1.4 based system? The license installs, but the firewall still doesn't start. Some of the errors report that there are protocol errors. The licenses that we have for Solaris 2.5.1 work fine. ------------------------------------------------------------------------ Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. From owner-firewalls-outgoing Tue Aug 5 19:36:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26900 for firewalls-outgoing; Tue, 5 Aug 1997 18:00:41 -0700 (PDT) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA26878 for ; Tue, 5 Aug 1997 18:00:30 -0700 (PDT) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id UAA08195; Tue, 5 Aug 1997 20:01:12 -0500 Date: Tue, 5 Aug 1997 20:00:54 -0500 (CDT) From: Ron DuFresne To: Remco van de Meent cc: Nick Simicich , Greg Walker , firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, the spam I recieved, and posted the bits and pieces here to the list for some debate and to inform, was not broadcast from my sendmail at all, but broadcast from another server to mine. Wish I had saved it and could display the headers for folks. Then again, I'm sure that someone else out here may well have gotten a copy of the same spam announcing this mail bombing tool for the masses...if so, please, post the headers for others to review. My best to one and all, Ron DuFresne On Tue, 5 Aug 1997, Remco van de Meent wrote: > On Mon, 4 Aug 1997, Nick Simicich wrote: > > : Yes, it is true. You need to change your SMTP server to stop relaying. > : You may need to get a new version of sendmail. > > Looking at the mail Greg posted, he's using a Netscape Mailserver. Which > doesn't support anti-relaying. :(( > > If anyone knows a solution to stop the abuse of Netscape Mailservers as a > relay for spamming, please let me know. I already heard a 'solution' like: > take another machine, and use Exim on that one. But 'take another machine' > is out of the question at the moment :( > > Remco > > : > : On Mon, 4 Aug 1997, Greg Walker wrote: > : > : > Date: Mon, 04 Aug 1997 08:02:13 -0500 > : > From: Greg Walker > : > To: firewalls@GreatCircle.COM > : > Subject: Re: Mail bombing made legal... > : > > : > Ron DuFresne wrote: > : > > : > > SPECIAL CLOAKING DEVICE: Email Blaster can successfully hide the > : > > origin of > : > > all email being sent out. Email Blaster can mask itself to look like > : > > it > : > > came from the recipients own host. This will help stop users from > : > > flaming > : > > your email box! > : > > > : > > : > Is this for real? I have been getting hundreds of error messages from > : > our mail server at night with the following cotent: > : > > : > Your message was not delivered because the destination computer > : > was > : > not found. Carefully check that it was spelled correctly and try > : > > : > sending it again if there were any mistakes. > : > > : > Host spamco.com not found > : > > : > The following recipients did not receive this message: > : > > : > > : > > : > The original mail envelope addresses are: > : > > : > User-From: SMTP<> > : > Recipient: [] > : > > : > > : > Anybody have any ideas? > : > > : > Thanks, > : > > : > Greg Walker > : > TAP Publishing Company > : > > : > : Of course my password is the same as my pet's name. > : My macaw's name was Q47pY!3, but I change it every 90 days. > : Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com > : http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! > : > > -- > // Remco van de Meent > // email: remco@oloon.student.utwente.nl > // www: http://oloon.student.utwente.nl > // " Never make any mistaeks. " > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From owner-firewalls-outgoing Tue Aug 5 20:20:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA29704 for firewalls-outgoing; Tue, 5 Aug 1997 18:29:04 -0700 (PDT) Received: from sla_nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA29696 for ; Tue, 5 Aug 1997 18:28:56 -0700 (PDT) Received: by sla_nt2.sla.com with Internet Mail Service (5.0.1457.3) id ; Tue, 5 Aug 1997 18:30:03 -0700 Message-ID: From: "Stackpole, Bill" To: "'Jay Bahel'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Routers and filtering Date: Tue, 5 Aug 1997 18:30:02 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls produce a better audit trail and alarms when they detect attacks. They can guard against flooding attacks like SYNs , fragmented packet attacks. (Cisco will do logging of filter actions if you have a box running syslogd.) Filters operate at the network layer whereas Firewall application proxies can operate all the way up to the application layer so then can filter based on the data contained in the packet. For example an FTP application proxy can block GET commands on an FTP control connection. A router filter can only block FTP control connections. It is nearly impossible to construct a secure filter for some applications because they don't use consistent ports. A good example are programs that use PORTMAPPER. The bottom line is, routers can be configured to be very effective (in my opinion) at denying access to internal systems. Without access it is difficult if not impossible for some one to disclose, alter or destroy your data. That's 80 to 90% protection to me. What they will not guard against is denial of service attacks, and virus or mail bombs. Firewall can give you some protection against denial of service and some have virus/bomb scanners build in. But mostly what you get with a firewall is great logging, a good user configuration interface, better filter granularity and special functions like VPN, IPSEC tunnels, etc. It's all a matter of what you are trying to protect. We use Novell on IPX on our internal system. Our only IP systems are NT Exchange for mail, and NT IIS for web services. Nothing on the NT boxes is critical so packet filterings seem to be adequate for us. To protect against viruses we run anti-virus software on all our workstations. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Jay Bahel [SMTP:jbahel@mcs.net] > Sent: Tuesday, August 05, 1997 4:18 PM > To: 'DarkSead (Nick)'; 'Stackpole, Bill' > Cc: 'firewalls@greatcircle.com' > Subject: RE: Routers and filtering > > Seems to me that Cisco is offering a large portion of firewalling > capability within their routers, including anti-spoofing capability. > What functionality do you miss in a Cisco Router (with packet > filtering) versus an industry standard firewall (i.e. CheckPoint or > Eagle)? > > -Jay > > From owner-firewalls-outgoing Wed Aug 6 02:19:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA02114 for firewalls-outgoing; Wed, 6 Aug 1997 00:12:33 -0700 (PDT) Received: from t-rex.minn.net (T-Rex.Minn.Net [204.157.201.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA01976 for ; Wed, 6 Aug 1997 00:12:07 -0700 (PDT) Received: from WMeyer-A24.DecisionOne.com ([192.204.141.71] (may be forged)) by t-rex.minn.net (8.8.6/8.6.9) with ESMTP id CAA12002 for ; Wed, 6 Aug 1997 02:13:01 -0500 Message-ID: <33E824FC.D621DE5F@minn.net> Date: Wed, 06 Aug 1997 02:17:16 -0500 From: Matt Stohr X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls-digest@GreatCircle.COM" Subject: Re: Are firewalls for anyone on internet? X-Priority: 3 (Normal) References: <01BCA1CE.0E94D0E0@dpm1-3.wf.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a product I just saw on the Internet and tested out which is available for Windows 95 called Armor from a company called EMD. Their website is at http://www.emdent.com. Their software offers a startup password option, as well as limited (although satisfactory for the average user) IP filtering and even allows desktop users to specify services offered over their winsock. (eg NNTP, FTP, etc.) It also allows for parental control and file locking. It seemed like a halfway decent product (at least for the residential user with nothing extremely sensitive on their computer). I hope this helps. - Matt Stohr From owner-firewalls-outgoing Wed Aug 6 02:20:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA24569 for firewalls-outgoing; Tue, 5 Aug 1997 23:40:49 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA24508 for ; Tue, 5 Aug 1997 23:40:35 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA06742; Wed, 6 Aug 1997 09:42:17 +0400 Received: from GarantiUser by GarantiMailServer id AA14168; Wed, 6 Aug 1997 09:42:17 +0400 Received: from [10.0.4.106] by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA06900; Thu, 7 Aug 1997 09:26:56 +0400 Message-Id: <33E8A8AD.6737@garanti.com.tr> Date: Wed, 06 Aug 1997 09:39:09 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewalls Subject: Risks of enable RIP... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the risks of using RIP on the firewalls? Thanks, -- **************************************************************************** Cihan Subasi, Garanti Ticaret AS,Istanbul Turkey email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 **************************************************************************** From owner-firewalls-outgoing Wed Aug 6 02:33:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA26382 for firewalls-outgoing; Tue, 5 Aug 1997 23:52:55 -0700 (PDT) Received: from mail.ptw.com (mail.ptw.com [207.212.176.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA26340 for ; Tue, 5 Aug 1997 23:52:43 -0700 (PDT) Received: from geek.ptw.com (root@geek.ptw.com [207.212.186.129]) by mail.ptw.com (8.8.5-q-beta3/8.6.9) with ESMTP id XAA04150; Tue, 5 Aug 1997 23:33:54 -0700 Received: from localhost (bextreme@localhost [127.0.0.1]) by geek.ptw.com (8.8.6/8.6.10) with SMTP id XAA02973; Tue, 5 Aug 1997 23:53:47 -0700 Date: Tue, 5 Aug 1997 23:53:47 -0700 (PDT) From: Jesse Brown To: John Cross cc: Firewalls@GreatCircle.COM Subject: Re: Website to Fake email as a service In-Reply-To: <5743F218BEC0D011825C0060B01AC1F60AFDB8@challenger.grtk.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An easy way of doing it (if there ISP's DNS is configure correctly) is to do a reverse lookup on the ip (on a unix system you can simply type host ). Again using unix, you can then see who their ISP is by looking at the second name to the left (for instance, if you got back ak-4-23.ptw.com from host, then ptw.com is their ISP). You would then type whois to get the contact information and location for their ISP. You could use DIG but it is more complex.. I have duplicated these steps below... (on my linux workstation) 1. Do a Reverse Lookup (a random ip#) > host 207.212.176.4 I get: Name: vader.ptw.com Address: 207.212.176.4 Aliases: 2. See who owns that domain. > whois ptw.com I get: [rs.internic.net] Lancaster Internet (PTW-DOM) 43619 17th St W. ste 201 Lancaster, CA 93534 Domain Name: PTW.COM Administrative Contact, Technical Contact, Zone Contact: Peugeot, Mark (MP187) mark@PTW.COM 805-723-2700 Record last updated on 21-Jan-97. Record created on 20-Jan-95. Database last updated on 5-Aug-97 04:30:09 EDT. Domain servers in listed order: GRIEF.PTW.COM 207.212.176.3 VADER.PTW.COM 207.212.176.4 As you can see from the above, just about any questions you could have can be answered by Mark Peugeot (hopefully). Hope this helped! -J On Tue, 5 Aug 1997, John Cross wrote: > What will they think of next. Yes, www.aprilfools.com will allow you to > generate a fake email from anyone and send it to someone else as a > "joke". It has a preconfigured form for its standard 'smut surfer' > alerts and so forth, but it is totally editable, so you can send > anything you want. My CFO received a message from the head of HR > warning him about his Internet surfing habits. Needless to say, the > wording and so forth was not well received. > > Well, for list content, how can I track who initiated the mail message? > I tracked the headers back to the mail server of the www.aprilfools.com > site, and contacted the administrator there. He was actually helpful > and gave me the IP address of the browser that initiated the mail form. > Anyone know how I can take that IP address and trace it back to a source > domain? I can ping the address, but I don't know how to do a reverse > lookup on IP to get a domain name so I can contact that administrator to > track the address further. (Someone mentioned DIG, but I have no idea > what that is) > > Also, anyone have suggestions for protecting my uneducated users from > further spoofed mail? > > > Thanks, > John > From owner-firewalls-outgoing Wed Aug 6 02:36:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA26095 for firewalls-outgoing; Tue, 5 Aug 1997 23:51:10 -0700 (PDT) Received: from relay.kacst.edu.sa ([198.77.88.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA24270 for ; Tue, 5 Aug 1997 23:39:35 -0700 (PDT) Received: from ns1.kfupm.edu.sa ([198.77.102.26]) by relay.kacst.edu.sa (8.7.5/8.7.3) with ESMTP id JAA27563 for ; Wed, 6 Aug 1997 09:37:53 -0300 (GMT) Received: from dpc107.dpc.kfupm.edu.sa (dpc107.dpc.kfupm.edu.sa [196.15.32.8]) by ns1.kfupm.edu.sa (8.7.5/8.7.3) with ESMTP id JAA02920 for ; Wed, 6 Aug 1997 09:39:00 +0300 Received: (from s929803@localhost) by dpc107.dpc.kfupm.edu.sa (8.7.5/8.7.3) id JAA55166; Wed, 6 Aug 1997 09:36:00 +0300 Date: Wed, 6 Aug 1997 09:36:00 +0300 (SAUST) From: AL-SARHAN To: firewalls@GreatCircle.com cc: AL-SARHAN Subject: DETAILS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > ---------- Forwarded message ---------- > Date: Mon, 04 Aug 1997 19:20:14 > From: mjm@europemail.com > To: Firewalls > Subject: Goodnews To-day > > Business, finance, family and sex > are the four main areas of interest to the public at large. > If you are interested in information on a new Multi-Level product > as means of generating income for yourself, > return an E-mail with the word > > DETAILS > > on the Subject line. > > > ====================================== > > One single piece of good news brightens the darkest day. > Proverb > ====================================== > > > > From owner-firewalls-outgoing Wed Aug 6 03:05:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA10129 for firewalls-outgoing; Wed, 6 Aug 1997 00:45:37 -0700 (PDT) Received: from iva.laus.hr ([194.152.247.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA09828 for ; Wed, 6 Aug 1997 00:44:42 -0700 (PDT) Received: from laus.dbk.laus.hr (laus.dbk.laus.hr [194.152.247.130]) by iva.laus.hr (8.8.5/8.8.4) with ESMTP id JAA05899 for ; Wed, 6 Aug 1997 09:46:33 +0200 Received: from sioux (sioux.dbk.laus.hr [194.152.247.137]) by laus.dbk.laus.hr (8.8.5/8.8.4) with SMTP id JAA19297 for ; Wed, 6 Aug 1997 09:42:21 +0200 Message-Id: <3.0.2.32.19970806094614.00ee98f0@laus.dbk.laus.hr> X-Sender: mario@laus.dbk.laus.hr X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Wed, 06 Aug 1997 09:46:14 +0300 To: firewalls@greatcircle.com From: Mario Misic Subject: ICQ and fwtk-2.0beta Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! Is it possible to use ICQ over fwtk-2.0beta. I tried to use plug-gw: /etc/services icq 3333/udp ICQ /etc/inetd.conf icq stream udp nowait root /usr/sbin/plug-gw plug-gw 3333 netperm-table plug-gw: port 3333 194.152.247.* -plug-to 208.202.84.41 -port 4000 But this don't work !!??? Can anyone help me ?? Thanks Mario Misic From owner-firewalls-outgoing Wed Aug 6 03:44:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA08965 for firewalls-outgoing; Wed, 6 Aug 1997 00:41:14 -0700 (PDT) Received: from sla_nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA08858 for ; Wed, 6 Aug 1997 00:40:49 -0700 (PDT) Received: by sla_nt2.sla.com with Internet Mail Service (5.0.1457.3) id ; Wed, 6 Aug 1997 00:42:08 -0700 Message-ID: From: "Stackpole, Bill" To: "'firewalls@greatcircle.com'" Date: Wed, 6 Aug 1997 00:42:05 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can use an authenication server like TACACS+ to verify a user ID and password and return an access list that's assigned to that port (at least I can do this on a Cisco access server). You may be able to do something similar on other systems using TACACS or RADIUS. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 -----Original Message----- From: Bret Watson [SMTP:Bret.Watson@bwa.net] Sent: Tuesday, August 05, 1997 7:39 AM To: firewalls@GreatCircle.COM Subject: Best Practice? - internet + multiple RAS We have a client with a remote access problem. Basically they have a large number of semi-permanent ISDN lines as part of thier WAN as well as a number of modems for the more remote points. Added to that is the requirement for their IT people to have access from home and for the computer supplier to have access ( mainly dial out) for maintainence. Yes there's more! There is also plans for the marketing dept to have access remotely from clients premises and for clients to have access for account management. The core protocol on the LAN is TCP/IP. The IT people need complete access to the network, whilst most of the rest will only need access to the main CPU. The protocol used by the WAN offices is telnet. My question.... what is the best practice for this? Yours, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 From owner-firewalls-outgoing Wed Aug 6 04:22:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA23592 for firewalls-outgoing; Wed, 6 Aug 1997 01:50:05 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA16566 for ; Wed, 6 Aug 1997 01:22:14 -0700 (PDT) Received: by fw4.tns.co.za; id KAA24105; Wed, 6 Aug 1997 10:22:36 +0200 (SAT) Message-Id: <199708060822.KAA24105@fw4.tns.co.za> Received: from unknown(89.0.5.63) by fw4.tns.co.za via smap (V3.1.1) id xma024102; Wed, 6 Aug 97 10:22:29 +0200 Reply-To: From: "Billy Verreynne" To: Subject: Re: NT SMTP/BIND risks - int Date: Wed, 6 Aug 1997 10:20:36 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Micheal wrote: > Anyway - any comments, white papers, or NT security sites would be a great > help. www.ntsecurity.com From owner-firewalls-outgoing Wed Aug 6 06:00:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA11895 for firewalls-outgoing; Wed, 6 Aug 1997 00:59:01 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA11874 for ; Wed, 6 Aug 1997 00:58:51 -0700 (PDT) Received: by fw4.tns.co.za; id JAA22692; Wed, 6 Aug 1997 09:59:36 +0200 (SAT) Message-Id: <199708060759.JAA22692@fw4.tns.co.za> Received: from unknown(89.0.5.63) by fw4.tns.co.za via smap (V3.1.1) id xma022681; Wed, 6 Aug 97 09:59:26 +0200 Reply-To: From: "Billy Verreynne" To: Subject: Re: Mail bombing made legal... Date: Wed, 6 Aug 1997 09:57:32 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim wrote: > > Yes, you can 'try' to trace these clowns with the headers, but more often > than not it gets you nowhere. I have seen too many where the originating > host is on a subnet that is firewalled, the host does not run an smtp daemon, > or the host 'conveniently' claims all responses are to user unknown. And with > so many picking arbitrary hosts as mailer relays, and then disappearing, > where do you go? I have also seen too many using fictitious domain names, > as well as using the private address spaces to further compound the problems. I've not yet ran into any of those. Maybe I'm just lucky? :-) But surely you can lodge a complaint at the administrator of the domain that is firewalled (if it's not a temporary spam domain)? You must also remember that the spammers most of the time supply a contact for the willing user to buy whatever they're spamming. If tracing received headers fails, that contact can also be used to trace the spammer. How about using the contact number/address/whateever to determine who owns the spam and phoning that person at 2:00 in the morning (ehh.. because of the different time zones as we do not want to do anything illegal) complaining about the spamming? :-) Even better, why not simply publish a list on the net of home phone numbers of owners/directors/presidents of spam companies... (think I've seen some kind of spam phone list before somewhere on the net). regards, Billy From owner-firewalls-outgoing Wed Aug 6 06:23:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA18469 for firewalls-outgoing; Wed, 6 Aug 1997 01:29:35 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA18282 for ; Wed, 6 Aug 1997 01:28:35 -0700 (PDT) Received: from ns.vaterlaus.ch by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id BAA03249; Wed, 6 Aug 1997 01:24:38 -0700 (PDT) Received: from host1.vaterlaus.ch ( [194.235.45.17] ) by ns.vaterlaus.ch (Hethmon Brothers Smtpd) ; Wed, 6 Aug 1997 09:28:21 CET-1CDT Message-Id: <199707060928.2154337.7@ns.vaterlaus.ch> Received: from host2.vaterlaus.ch by ns.vaterlaus.ch (Hethmon Brothers Pop3d) ; Wed, 6 Aug 1997 09:28:17 CET-1CDT From: "Peter Vaterlaus EDV-Systemberatung" To: "Firewalls@GreatCircle.COM" Cc: "Bret.Watson@bwa.net" Date: Wed, 06 Aug 97 10:23:56 +0100 Reply-To: "Peter Vaterlaus EDV-Systemberatung" X-Mailer: Peter Vaterlaus's Registered PMMail 1.52 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Best Practice? - internet + multiple RAS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Aug 1997 16:52:52 -0700 (PDT), Firewalls-Digest wrote: >From: Bret Watson >Subject: Best Practice? - internet + multiple RAS > >We have a client with a remote access problem. Basically they have a large >number of semi-permanent ISDN lines as part of thier WAN as well as a >number of modems for the more remote points. >Added to that is the requirement for their IT people to have access from >home and for the computer supplier to have access ( mainly dial out) for >maintainence. >Yes there's more! >There is also plans for the marketing dept to have access remotely from >clients premises and for clients to have access for account management. >The core protocol on the LAN is TCP/IP. > >The IT people need complete access to the network, whilst most of the rest >will only need access to the main CPU. The protocol used by the WAN offices >is telnet. > > >My question.... what is the best practice for this? > Hi Bret IMO the requirements (or the actual situation) sound very common for larger enterprises. I suppose that there is a security policy established, that requests for a little bit more security than they seem to actually have reached. In order to get it under control try to approach these goals: 1) ISDN WAN connections secured (at least callback) 2) No Modems on any LAN Station. Use Dial Out Servers instead if not avoidable. So you can at least get a log of connections. 3) Remote LAN Access using strong authentication for a very limited number of persons (your own support people) via RAS under control of security management. Best solution would be to reduce to one single point of access 4) Regular remote access via firewall and RAS in the DMZ using strong authentication on the firewall for any access that is not generally open to the internet. 5) If you need automatic programm to programm connections or a very convenient way to connect from remote without loosing strong authentication, you should evaluate VPN techniques (propably smart card based). Most of your users should feel comfortable with point 4 above. In my experience the most critical point is to make people security aware enough to be willing to discuss the use of more secure solutions. regards Peter Vaterlaus //------------------------------------------------------------ // Consulting and Security for Networks and Internet // Peter Vaterlaus edv@vaterlaus.ch http://www.vaterlaus.ch/edv // EDV-Systemberatung tel ++41 32 621 84 21 // Klosterplatz 6, Postfach fax ++41 32 621 84 25 // CH-4502 Solothurn // Switzerland //------------------------------------------------------------ From owner-firewalls-outgoing Wed Aug 6 06:41:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA03220 for firewalls-outgoing; Wed, 6 Aug 1997 02:37:33 -0700 (PDT) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA03171 for ; Wed, 6 Aug 1997 02:37:17 -0700 (PDT) Received: from skippy.lif.icnet.uk by europa.lif.icnet.uk with SMTP(5.65v3.0/6.2); Wed, 6 Aug 1997 10:38:03 +0100 X-Sender: wright@icrf.icnet.uk Message-Id: In-Reply-To: <5743F218BEC0D011825C0060B01AC1F60AFDB8@challenger.grtk.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 6 Aug 1997 10:38:00 +0100 To: Firewalls@GreatCircle.COM From: Mike Wright Subject: Re: Website to Fake email as a service Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:24 pm +0100 5/8/97, John Cross wrote: >Also, anyone have suggestions for protecting my uneducated users from >further spoofed mail? PGP Digital signatures maybe? Fact is, it is quite trivial to forge the "From:" address in an email message and it always has been. Perhaps you could warn your users that forging email messages is just as serious as forging a written memo to someone or forging their signature on a letter and will be dealt with accordingly. Other than that there is bugger all you can do. Mike Wright, Support Engineer, Imperial Cancer Research Fund. http://www.icnet.uk/ From owner-firewalls-outgoing Wed Aug 6 07:07:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA01668 for firewalls-outgoing; Wed, 6 Aug 1997 04:41:23 -0700 (PDT) Received: from hq15.pcmail.ingr.com (hq15.pcmail.ingr.com [129.135.251.243]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA01520 for ; Wed, 6 Aug 1997 04:40:54 -0700 (PDT) Received: by HQ15 with Internet Mail Service (5.0.1458.49) id ; Wed, 6 Aug 1997 06:41:48 -0500 Message-ID: From: "Jarmon, Don R" To: Firewalls@GreatCircle.COM Subject: RE: PPTP & FW-1 Date: Wed, 6 Aug 1997 06:41:47 -0500 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft's PPTP uses Port 1723/tcp as the control port and Protocol ID 47 / GRE > ---------- > From: snorthc@nswc.navy.mil[SMTP:snorthc@nswc.navy.mil] > Sent: Tuesday, August 05, 1997 6:49 AM > To: Firewalls@GreatCircle.COM > Subject: Re: PPTP & FW-1 > > >I'm attempting to setup a FW-1 filter to support PPTP. > >I'm using FW-1 3.0a on Solaris. > > > >PPTP is not defined, how do I seutp a fitler just for PPTP not all > IP? > > > >Thanks In Advance > >Bert Carroll > > Hmmm, we did this in class last week, its not as GUI as one > might think! Try: > > Define service pptp > TCP 5678 "control" > > Define service, other, match IP_P = 47 > > Define service, other > match IP_P = 47, ([20:2, b]) & 0xEF7F = 0x2001, [22:2, b] = 0x800 > > Maybe that will get you close :) > From owner-firewalls-outgoing Wed Aug 6 08:17:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA24532 for firewalls-outgoing; Wed, 6 Aug 1997 04:11:53 -0700 (PDT) Received: from mail.citechco.net (mail.citechco.net [203.127.137.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA24439 for ; Wed, 6 Aug 1997 04:11:30 -0700 (PDT) Received: from jewel.citechco.net (jewel.citechco.net [203.127.137.7]) by mail.citechco.net (8.7.5/8.7.3) with ESMTP id RAA18221 for ; Wed, 6 Aug 1997 17:12:57 +0600 (GMT+0600) Message-Id: <199708061112.RAA18221@mail.citechco.net> From: "Azhar H. Chowdhury" To: Subject: CISCO Configuration!! Date: Wed, 6 Aug 1997 17:19:05 +0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all... How can I solve following problem using CISCO Routers and IOS 11.0 , can anyone help me. 1) I have three Class-C. 204.1.1.x , 205.1.1.x and 205.1.1.x and Four Routers. I already divided into multiple block by using following commands ip route 205.1.1.11 255.255.255.255 205.1.1.10 ip route 205.1.1.12 255.255.255.255 205.1.1.10 My Default Gateway is 204.1.1.1. If any one comes by using Dial-up then can get IP only by dial to modem attached with DEFAULT GATEWAY. How can I give similar facility to other Routers. Thanking in advance, Azhar Chowdhury From owner-firewalls-outgoing Wed Aug 6 08:36:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02135 for firewalls-outgoing; Wed, 6 Aug 1997 04:43:15 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02080 for ; Wed, 6 Aug 1997 04:42:59 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-dynamic95.cisco.com [171.68.129.105]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id NAA29732; Wed, 6 Aug 1997 13:39:39 +0200 (METDST) Message-Id: <3.0.32.19970806133957.006a8f38@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 06 Aug 1997 13:40:01 +0000 To: csubasi@garanti.com.tr, Firewalls From: Eric Vyncke Subject: Re: Risks of enable RIP... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:39 6/08/97 -0700, Cihan Subasi wrote: >What are the risks of using RIP on the firewalls? Dynamic routing of a firewall is usually considered as dangerous because a malicious person could send faked routing information in the bastion host/firewall which will accordinglt modify its routing table. This could lead to: - denial of services (i.e. redirecting all routes to the intranet towards a non existing router) ==> blackholing some traffic - esier IP address spoofing (malicious guy could change its IP address to an intranet IP address without using source routing) - ... DoS attack is really easy to do with RIP enabled... BTW dynamic routing information can be authenticated by a keyed MD5 signature for OSPF, EIGRP and RIPv2. Hope this helps, -eric > > Thanks, >-- > >**************************************************************************** >Cihan Subasi, >Garanti Ticaret AS,Istanbul Turkey >email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 >**************************************************************************** > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Wed Aug 6 08:52:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA23413 for firewalls-outgoing; Wed, 6 Aug 1997 06:28:14 -0700 (PDT) Received: from Noah.rtscomp.com (rtscomp.com [206.233.216.222]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA23377 for ; Wed, 6 Aug 1997 06:28:03 -0700 (PDT) Received: from localhost (prc@localhost) by Noah.rtscomp.com (8.8.5/8.8.5) with SMTP id FAA24523; Wed, 6 Aug 1997 05:29:43 -0700 Date: Wed, 6 Aug 1997 05:29:43 -0700 (PDT) From: Richard Pouncy To: Mike Wright cc: firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Aug 1997, Mike Wright wrote: > So rather than send the spam themselves, they relay it through another > (innocent) service provider's machine and make that machine do all the hard > work for them clogging up their mail queues. > > This basically amounts to theft of services - CPU time and bandwidth. > > Mike Wright, > Network Support, Phone 0171 269 3618. Yes, and it fact, many SPAMMERS are using dialup accounts setting their SMTP gateways to point somewhere else. So, you have to look at where the message originated from to find the domain and send the complaint to the admin@domain. Also, many are using hacked AOL accounts to send this type of SPAM. I agree, that this is a new age crime! =-=-=-=-=-=-=-=-=-=-= http://www.prc.com/eag =-=-=-=-=-=-=-=-=-=-=-=-=-= Richard Pouncy | Litton PRC Inc. prc@rtscomp.com | 222 N. Sepulveda Blvd. Suite 1310 310-252-8044 | El Segundo, CA 900245-4353 =-=-=-= Firewalls =-= Web Server Security =-= Penetration Testing =-=-= From owner-firewalls-outgoing Wed Aug 6 09:07:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03575 for firewalls-outgoing; Wed, 6 Aug 1997 04:51:03 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA12534 for ; Wed, 6 Aug 1997 03:21:25 -0700 (PDT) Received: from ns.vaterlaus.ch by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id BAA03713; Wed, 6 Aug 1997 01:34:31 -0700 (PDT) Received: from host1.vaterlaus.ch ( [194.235.45.17] ) by ns.vaterlaus.ch (Hethmon Brothers Smtpd) ; Wed, 6 Aug 1997 09:37:17 CET-1CDT Message-Id: <199707060937.1748425.7@ns.vaterlaus.ch> Received: from host2.vaterlaus.ch by ns.vaterlaus.ch (Hethmon Brothers Pop3d) ; Wed, 6 Aug 1997 09:37:15 CET-1CDT From: "Peter Vaterlaus EDV-Systemberatung" To: "Firewalls@GreatCircle.COM" Date: Wed, 06 Aug 97 10:32:54 +0100 Reply-To: "Peter Vaterlaus EDV-Systemberatung" X-Mailer: Peter Vaterlaus's Registered PMMail 1.52 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Firewalls-Digest V6 #372 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Aug 1997 16:52:52 -0700 (PDT), Firewalls-Digest wrote: >From: mcwilkin >Subject: NT SMTP/BIND risks - int > >Hi all- > >We recently had a request from one of our divisions to allow SMTP and BIND >traffic to an NT box sitting on our internal network. Despite possible weaknesses of NT, I would never allow to pass that kind of data from the internet to a internal host without relaying it on a gateway controlled by security management. I am not quite shure about what you mean with BIND. If its DNS, then what are the reasons to acess a internal server? Assuming that you already have a working firewalled environment. regards Peter Vaterlaus //------------------------------------------------------------ // Consulting and Security for Networks and Internet // Peter Vaterlaus edv@vaterlaus.ch http://www.vaterlaus.ch/edv // EDV-Systemberatung tel ++41 32 621 84 21 // Klosterplatz 6, Postfach fax ++41 32 621 84 25 // CH-4502 Solothurn // Switzerland //------------------------------------------------------------ From owner-firewalls-outgoing Wed Aug 6 09:09:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA04177 for firewalls-outgoing; Wed, 6 Aug 1997 04:53:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA04077 for ; Wed, 6 Aug 1997 04:53:26 -0700 (PDT) Received: from mail.istar.ca by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA08413; Wed, 6 Aug 1997 04:49:36 -0700 (PDT) Received: from technics [204.191.146.133] by mail.istar.ca with smtp (Exim 1.651 #9) id 0ww4h6-0005lb-00; Wed, 6 Aug 1997 07:56:01 -0400 Message-ID: <33E864C4.57EA@istar.ca> Date: Wed, 06 Aug 1997 07:49:24 -0400 From: Alan Goldberg Reply-To: agoldber@istar.ca X-Mailer: Mozilla 3.0Gold (Win95; U) MIME-Version: 1.0 To: Alan CC: firewalls@GreatCircle.COM Subject: Re: Web Oriented Mail Clients References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan wrote: > > On Sat, 2 Aug 1997 Dick_Wall@stratus.com wrote: > > > The question is ... > > > > I'm getting approached by various groups in my company, that want to > > use Web oriented email clients, to access our email servers. That is, > > they want to use the clients from the Internet points, to access servers > > on the trusted/internal side of our network. They'd like us therefore, > > to allow http access through the firewall. We don't allow that now, and > > I don't plan to allow it in the future. > > > > Is there a secure means for providing such email access? > > Yes. > > Tell them to spend the $20/month and get an off-site e-mail account at a > local ISP. Then forward their mail to that account. > > (Sounds like yet another product that management had been told they "gotta > have". Making e-mail web based sounds like a perfect way to make it even > less usable and more inflexable. Sounds like a perfect fit for most of > the management I have known...) > > alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply > Alan Olsen | to my mail, just hit the ctrl, alt and del keys. Are you all telling me that there is no way to simply route in and outbound mail to other mail / SMTP servers through a firewall without compromising internal mail security? I really appreciate a response to this one. Thanks. -- Alan M. Goldberg HJ Heinz Company of Canada Ltd./Intuit Bus Serv & Tech Bradford, ON CA http://home.istar.ca/~agoldber - email:agoldber@istar.ca From owner-firewalls-outgoing Wed Aug 6 09:16:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA11201 for firewalls-outgoing; Wed, 6 Aug 1997 05:20:07 -0700 (PDT) Received: from mail.rc.on.ca (mail.rc.on.ca [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA11110 for ; Wed, 6 Aug 1997 05:19:47 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.49) id ; Wed, 6 Aug 1997 08:10:25 -0400 Message-ID: From: Russ To: "Firewalls@GreatCircle.COM" , "'snorthc@nswc.navy.mil'" Subject: RE: PPTP & FW-1 Date: Wed, 6 Aug 1997 08:10:21 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PPTP's control connection uses TCP/UDP 1723. TCP/UDP 5678 was indicated in the initial draft proposal for the PPTP protocol, but NT 4.0 was released using the IANA assigned port number 1723. GRE, IP Protocol 47 (not a TCP or UDP port) is used for the data tunnel. Obviously if you implement a rule on FW-1 (or any Firewall) specifying TCP/UDP 5678 for the control channel, you're not going to be able to get any NT or Win95-based PPTP machines to work since they will try to set up their control channel over TCP1723. Some Front-End Processors (FEPs) may actually make the PPTP control connection themselves, and then relay the PPP traffic through the tunnel they've established. In this case, your rules need to be based on the IP address of the FEP, not the IP address assigned to the client by the ISP. If you are doing PPTP over a client network adapter, then your rules are based on the client's original IP address. IP addresses assigned by the PPTP server need to be from a subnet other than one existing on your PPTP server networks, otherwise your clients will end up with their PPTP network gateway being seen as an address on their physical network adapter, rather than an addressed reached through their virtual network adapter created by the PPTP tunnel. Finally, remember that GRE is *not* encryption, merely encapsulation. No valuable security is gained by encapsulation, so enable PPP encryption on the Dial-up connection on the client to obtain any security. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq Mailing List - http://ntbugtraq.rc.on.ca/ From owner-firewalls-outgoing Wed Aug 6 09:17:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA11680 for firewalls-outgoing; Wed, 6 Aug 1997 05:22:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA11426 for ; Wed, 6 Aug 1997 05:20:52 -0700 (PDT) From: JOHNSON@neu.edu Received: from NUHUB.DAC.NEU.EDU by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA08074; Wed, 6 Aug 1997 04:27:32 -0700 (PDT) Received: from neu.edu by neu.edu (PMDF V5.1-7 #23409) id <01IM40I93MDW8WW28T@neu.edu> for firewalls@GreatCircle.com; Wed, 6 Aug 1997 07:29:54 EST Date: Wed, 06 Aug 1997 07:29:54 -0500 (EST) Subject: Re: Mail bombing made legal... To: firewalls@GreatCircle.COM Message-id: <01IM40I93W1I8WW28T@neu.edu> X-VMS-To: IN%"firewalls@GreatCircle.com" X-VMS-Cc: JOHNSON MIME-version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 7:48 pm +0100 4/8/97, Richard Pouncy wrote: > >>Yes, I have been fighting this type of shit for sometime now. What they >>are doing is bounding the mail off sites like earthlink or at&t >>to delivery the mail to your system. > >So rather than send the spam themselves, they relay it through another >(innocent) service provider's machine and make that machine do all the hard >work for them clogging up their mail queues. > >This basically amounts to theft of services - CPU time and bandwidth. > >Mike Wright, >Network Support, Phone 0171 269 3618. No doubt about it. It is theft of services. I talked with our university lawyer yesterday after I caught some spammer relaying 2248 messages through one of my systems clogging up the queue and causing a delay which amounts to a denial of service. I was told by our lawyer that we can go after them to the fullest extent of both state and federal law for theft of sevices. And I fully intend to have a few words with the idiots in question as well as their ISP. I'll let them get away with it once but if it happens again ............ Chris J. NU ============================================================================ Chris Johnson Internet: johnson@nuhub.dac.neu.edu Assistant Director, Systems BITNET: defunct Division of Academic Computing Voice: 617.373.3300 Northeastern University, 39RI FAX: 617.373.8600 360 Huntington Ave. 50% of all doctors graduated Boston, MA. U.S.A. 02115 in the lower half of the class ============================================================================ From owner-firewalls-outgoing Wed Aug 6 09:18:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA12851 for firewalls-outgoing; Wed, 6 Aug 1997 05:26:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA12790; Wed, 6 Aug 1997 05:25:38 -0700 (PDT) Received: from brussels.cisco.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id EAA08169; Wed, 6 Aug 1997 04:29:31 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-dynamic95.cisco.com [171.68.129.105]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id NAA29330; Wed, 6 Aug 1997 13:29:44 +0200 (METDST) Message-Id: <3.0.32.19970806133004.006ffe64@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 06 Aug 1997 13:30:07 +0000 To: Dick_Wall@stratus.com, firewalls-owner@GreatCircle.COM From: Eric Vyncke Subject: Re: PPTP & FW-1 Cc: bc17684@90.deere.com, Beall_Linda/na2@na2.stratus.com, Eckler_Richard/na2@na2.stratus.com, Firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:57 5/08/97 -0400, Dick_Wall@stratus.com wrote: >> PPTP is using: >> - a modified GRE tunnel which lays directly on the top >> of IP with protocol (I do not have right now the number of the >> protocol but check in /etc/protocols for the right number) >> - a TCP control session to port 5678 (on the PPTP 'server') which >> is by the way a funny number ;-) > >Is it really 5678 ?? I was told that the port was really 1723. And >that if I wanted to prevent my users from establishing PPTP sessions .. >block outbound (towards the Internet) requests to TCP port 1723. Did I >get some bad info ? Dick, It seems that I was wrong and you were right. I was relying on the PPTP draft which specified the 5678 port. It seems that NT help files (dixit Russ Cooper) is actually using 1723. >> Also beware that PPTP is probably useful for you but do not >> trust too much its security... To further comment on my previous personal comment; PPTP is not unsecure per se but rather the implementation of it by Microsoft: - authentication is done by NT logon, i.e., re-usable password and one time password are not easily integrated (if possible at all!) in NT logon - authorization, as far as I know, you cannot restrict the PPTP tunnel to start from some IP addresses only, - authorization, you cannot as well prevent the remote user of the PPTP tunnel to access any IP addresses/services on your internal network - confidentiality is implemented, AFAIK, by PPP encryption which is not available for Unix machine and is/was limited to 40-bit key outside of USA The first three points are 'weak' in respect to standard telephone dial-in: - authentication with dial-in access servers can be easily integrated with stronger authentication like one time token - authorization can prevent the dial-in user (based on its userid) to access some parts of the internal networks. To stress the first line of my previous message, this is my personal opinion only ! (notice the possible bias from my employeer). -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Wed Aug 6 09:29:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA24984 for firewalls-outgoing; Wed, 6 Aug 1997 06:43:02 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA24968 for ; Wed, 6 Aug 1997 06:42:53 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id KAA02396 for ; Wed, 6 Aug 1997 10:37:24 -0400 Date: Wed, 6 Aug 1997 09:37:16 -0500 Subject: Re: Web Oriented Mail Clients To: firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize in advance if anyone gets this twice, but it didn't appear to go through the first time. ------------------------ From: Dick_Wall@stratus.com Subject: Web Oriented Mail Clients Date: Sat, 2 Aug 97 15:25:21 -0400 To: firewalls@GreatCircle.COM > Hello all .. > > I appologize if I'm asking a question that has been recently discussed > .. I've been off the list for a while and have missed recent dialogues. > > The question is ... > > I'm getting approached by various groups in my company, that want to > use Web oriented email clients, to access our email servers. That is, > they want to use the clients from the Internet points, to access servers > on the trusted/internal side of our network. They'd like us therefore, > to allow http access through the firewall. We don't allow that now, and > I don't plan to allow it in the future. > > Is there a secure means for providing such email access? > > Dick > > ---------------End of Original Message----------------- My company has a product available that may solve your needs. It is a Perl-CGI application that runs under your web server. It allows you to read your messages from multiple POP mail accounts and work with them from one web client application. When you log in the first time you enter your pop mail addresses and passwords to access them on a setup screen. joebob@popmail.com password billybob@2nd.popmail.com 2ndpassword ... You can perform most of the e-mail functions available from an app like Eudora such as reply, reply all, forward, spell check, attach mime and uuencoded attachments, download or view incoming attachments, store messages in folders, filter and forward, etc. It can be run under an SSL enabled web server to encrypt the traffic over the net. You can also use any other authentication methods (OPIE, Secure Token) that will work between your web server and clients. You still have to open a hole in your Firewall (unless you just want to allow POP and SMTP in/out and put your Web Mail Server on your DMZ or the outside). It doesn't use frames or Java, just tables. It can be run under just about any web client out there. It does store copies of the mail on the web server while you work with them or if you move them to folders. It is nice because you can still work with mail from other access methods because you only work with *copies* of the mail. A message is only deleted on the server once you delete it from the web mail interface. One thing you want to make sure of is that your clients use the log-off button so that someone can't use the "back" button to read their mail. If they are on a public web browser they need to clear the cache as well. We also sell a companion Web-NNTP gateway that allows users to read/post, attach, view in-line images, etc. from a web browser. This allows people to access Usenet-style News discussion groups from any web client. It can also be used on a SSL enabled server to secure and encrypt each session. I would recommend adding an additional level of security on top of the usual "login/password" web server mechanism. I hope this helps, Mike -- 09:37:17 08/06/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Wed Aug 6 10:00:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA16022 for firewalls-outgoing; Wed, 6 Aug 1997 05:49:31 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA15995 for ; Wed, 6 Aug 1997 05:49:23 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id IAA05604; Wed, 6 Aug 1997 08:49:55 -0400 Date: Wed, 6 Aug 1997 08:49:55 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Nick Keenan cc: vslabs@onwe.co.za, firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <3.0.1.32.19970805095834.009a87b8@peter> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Aug 1997, Nick Keenan wrote: > >You can trace the any e-mail back to the > >original SMTP server using the headers. Fake headers are usually easy to > >spot. > > I think you're being a little Unix-centric. What if I have a Windows NT > machine, and I load up NTmail (a SMTP server for NT), and I get an IP > address from my favorite ISP -- perhaps aol.com, perhaps some small local > operation -- and I start blasting out spam. How's anyone going to be able > to trace that? Typically, the mailer you use talks to another mailer or the end system. Those transitions are recorded in the header. At the very least, it should record the actual IP address or name of the system by doing a getpeername and a reverse lookup. (Old implementations used to record only the asserted (HELO) name of the system). That IP address, combined with a time, should allow the ISP to figure out who you are. Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Wed Aug 6 14:15:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA01357 for firewalls-outgoing; Wed, 6 Aug 1997 07:20:32 -0700 (PDT) Received: from smtpgw.national-city.com (smtpgw.national-city.com [206.175.71.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA26141 for ; Wed, 6 Aug 1997 06:50:12 -0700 (PDT) Received: by smtpgw.national-city.com; id JAA27487; Wed, 6 Aug 1997 09:51:00 -0400 (EDT) Received: from national-city-eic.ntl-city.com(161.150.128.77) by smtpgw.national-city.com via smap (3.2) id xma027450; Wed, 6 Aug 97 09:50:33 -0400 Received: from ccmgate.national-city.com ([161.150.128.86]) by national-city-eic.ntl-city.com (post.office MTA v2.0 0813 ID# 0-0U10) with SMTP id AAA192; Wed, 6 Aug 1997 09:52:36 -0400 Received: from cc:Mail by ccmgate.national-city.com id AA870875462; Wed, 06 Aug 97 09:49:25 EST Date: Wed, 06 Aug 97 09:49:25 EST From: "dennis f dumont" Message-Id: <9707068708.AA870875462@ccmgate.national-city.com> To: Firewalls@GreatCircle.COM, John Cross Subject: Re: Website to Fake email as a service Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To do a reverse lookup you can use the same facility as you use to do a name lookup, with the following caveat: You need to reverse the order of the numbers, and add "in-addr.arpa" to the end. Example 204.70.128.20 becomes 20.128.70.204.in-addr.arpa If you are using nslookup or one of it's clones, be sure to set the record type to "ANY", that way you'll get anything the DNS database may have to say. Unfortunately this is not fullproof. Not everyone uses the PTR records when they set up DNS. Dennis Dumont Alltel Info Services From owner-firewalls-outgoing Wed Aug 6 16:41:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29939 for firewalls-outgoing; Wed, 6 Aug 1997 07:11:47 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA29907 for ; Wed, 6 Aug 1997 07:11:29 -0700 (PDT) Received: from alterdial.UU.NET by relay6.UU.NET with ESMTP (peer crosschecked as: alterdial.UU.NET [192.48.96.22]) id QQdbky26106; Wed, 6 Aug 1997 10:12:13 -0400 (EDT) Received: from Travis.MindQ by alterdial.UU.NET with SMTP (peer crosschecked as: [207.78.128.14]) id QQdbky02035; Wed, 6 Aug 1997 10:12:03 -0400 (EDT) Message-Id: <3.0.32.19970806091402.00bbb3d4@alterdial.uu.net> X-Sender: mail22402@alterdial.uu.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 06 Aug 1997 09:14:03 -0400 To: , From: Travis Low Subject: Re: Mail bombing made legal... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also sprach Billy Verreynne >Even better, why not simply publish a list on the net of home phone numbers >of owners/directors/presidents of spam companies... (think I've seen some >kind of spam phone list before somewhere on the net). There used to be a list of "rogue ISPs", but it was removed upon threat of legal action. Here's some information for those wishing to explore spamming issues. Travis ---------------------------------------------------------------------------- -------------- Cyber Promotions Home Page http://www.cyberpromo.com/ Interestingly, he (Sanford Wallace) has jumped on the campaign to stop unauthorized third party relays, although they sell "mail-bomber" software that "cloaks" the sender's IP address. Not much difference from the recipient's point of view (although a heck of a lot from the ISP's point of view). Join the Fight Against Spam! http://www.cauce.org/ Fight Spam on the Internet! http://spam.abuse.net/spam/ U.S. Congress considers two spam fixes http://www.news.com/News/Item/0,4,10875,00.html?owv The Congressional Email Directory by WebslingerZ and Jeffrey Hoffman http://www.webslingerz.com/jhoffman/congress-email.html The absolute BEST site for contacting congress! Fully linked, searchable, to boot! Contacting the Congress (web, email, fax, voice contact info) http://www.visi.com/juan/congress/ To send snail mail to congress: Your Senator's Name United States Senate Washington, D.C. 20510 Your Representative's Name United States House of Representatives Washington, D.C. 20515 At 09:57 AM 8/6/97 +0200, Billy Verreynne wrote: >Jim wrote: >> >> Yes, you can 'try' to trace these clowns with the headers, but more often >> than not it gets you nowhere. I have seen too many where the originating >> host is on a subnet that is firewalled, the host does not run an smtp >daemon, >> or the host 'conveniently' claims all responses are to user unknown. And >with >> so many picking arbitrary hosts as mailer relays, and then disappearing, >> where do you go? I have also seen too many using fictitious domain >names, >> as well as using the private address spaces to further compound the >problems. > >I've not yet ran into any of those. Maybe I'm just lucky? :-) > >But surely you can lodge a complaint at the administrator of the domain >that is firewalled (if it's not a temporary spam domain)? You must also >remember that the spammers most of the time supply a contact for the >willing user to buy whatever they're spamming. If tracing received headers >fails, that contact can also be used to trace the spammer. > >How about using the contact number/address/whateever to determine who owns >the spam and phoning that person at 2:00 in the morning (ehh.. because of >the different time zones as we do not want to do anything illegal) >complaining about the spamming? :-) > >Even better, why not simply publish a list on the net of home phone numbers >of owners/directors/presidents of spam companies... (think I've seen some >kind of spam phone list before somewhere on the net). > >regards, >Billy > > > From owner-firewalls-outgoing Wed Aug 6 19:43:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA29524 for firewalls-outgoing; Wed, 6 Aug 1997 07:07:08 -0700 (PDT) Received: from Noah.rtscomp.com (rtscomp.com [206.233.216.222]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA29493 for ; Wed, 6 Aug 1997 07:06:54 -0700 (PDT) Received: from localhost (prc@localhost) by Noah.rtscomp.com (8.8.5/8.8.5) with SMTP id GAA24705; Wed, 6 Aug 1997 06:07:58 -0700 Date: Wed, 6 Aug 1997 06:07:58 -0700 (PDT) From: Richard Pouncy To: Nick Keenan cc: vslabs@onwe.co.za, firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <3.0.1.32.19970805095834.009a87b8@peter> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Aug 1997, Nick Keenan wrote: > >You can trace the any e-mail back to the > >original SMTP server using the headers. Fake headers are usually easy to > >spot. > > I think you're being a little Unix-centric. What if I have a Windows NT > machine, and I load up NTmail (a SMTP server for NT), and I get an IP > address from my favorite ISP -- perhaps aol.com, perhaps some small local > operation -- and I start blasting out spam. How's anyone going to be able > to trace that? > If I may add my comments here. This is the problem, a person really do not need a SMTP server running on their machine, all they needs is some mailer with the SMTP gateway set to some innocent SMTP server on the net. So, even if you are able to find out the IP address where this SPAM originated from, you have to work with the Admin for the domain and he has to look at his log files to determine who was logged in at that time. This become even harder when the ISP is using rotating a IP addressing system.. So, it is being harder and harder to track down this new age criminal. =-=-=-=-=-=-=-=-=-=-= http://www.prc.com/eag =-=-=-=-=-=-=-=-=-=-=-=-=-= Richard Pouncy | Litton PRC Inc. prc@rtscomp.com | 222 N. Sepulveda Blvd. Suite 1310 310-252-8044 | El Segundo, CA 900245-4353 =-=-=-= Firewalls =-= Web Server Security =-= Penetration Testing =-=-= From owner-firewalls-outgoing Wed Aug 6 19:43:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA22597 for firewalls-outgoing; Wed, 6 Aug 1997 09:48:45 -0700 (PDT) Received: from ns1.ameritek.net (ameritek.net [205.152.250.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA22421 for ; Wed, 6 Aug 1997 09:48:12 -0700 (PDT) From: schiffy@globalfrontiers.com Received: from schiffy.globalfrontiers.com ([205.152.250.20]) by ns1.ameritek.net (Netscape Mail Server v2.02) with SMTP id AAA241; Wed, 6 Aug 1997 12:49:16 -0400 Message-Id: <3.0.1.32.19970806100334.0079e100@globalfrontiers.com> X-Sender: schiffy@globalfrontiers.com X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 06 Aug 1997 10:03:34 -0400 To: John Cross , Firewalls@Greatcircle.COM Subject: Re: Website to Fake email as a service In-Reply-To: <5743F218BEC0D011825C0060B01AC1F60AFDB8@challenger.grtk.com > Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use a program called NetScan at eskimo.com >Anyone know how I can take that IP address and trace it back to a source >domain? I can ping the address, but I don't know how to do a reverse >lookup on IP to get a domain name so I can contact that administrator to >track the address further. (Someone mentioned DIG, but I have no idea >what that is) > >Also, anyone have suggestions for protecting my uneducated users from >further spoofed mail? > > >Thanks, >John > From owner-firewalls-outgoing Wed Aug 6 19:51:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA21357 for firewalls-outgoing; Wed, 6 Aug 1997 09:42:22 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA21219 for ; Wed, 6 Aug 1997 09:41:45 -0700 (PDT) Received: from dragon.ender.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id JAA10171; Wed, 6 Aug 1997 09:37:58 -0700 (PDT) Received: from localhost (matt@localhost) by dragon.ender.com (8.8.6/8.8.5) with SMTP id JAA24991; Wed, 6 Aug 1997 09:44:36 -0700 Date: Wed, 6 Aug 1997 09:44:36 -0700 (PDT) From: Matt Wallace To: Cihan Subasi cc: Firewalls Subject: Re: Risks of enable RIP... In-Reply-To: <33E8A8AD.6737@garanti.com.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Receiving bad RIP information that changes your routing table could cause serious problems. If you run RIP, be certain that whatever firewall product you use will drop RIP packets that arrive on the external interface. -Matt On Wed, 6 Aug 1997, Cihan Subasi wrote: > What are the risks of using RIP on the firewalls? > > Thanks, > -- > > **************************************************************************** > Cihan Subasi, > Garanti Ticaret AS,Istanbul Turkey > email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 > **************************************************************************** > From owner-firewalls-outgoing Wed Aug 6 19:58:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA06891 for firewalls-outgoing; Wed, 6 Aug 1997 11:02:33 -0700 (PDT) Received: from pcslink.com (dns.pcslink.com [206.43.160.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA06861 for ; Wed, 6 Aug 1997 11:02:24 -0700 (PDT) Received: (from ryan@localhost) by pcslink.com (8.8.5/8.6.12) id LAA15924; Wed, 6 Aug 1997 11:02:54 -0700 (MST) From: Ryan Mooney Message-Id: <199708061802.LAA15924@pcslink.com> Subject: Re: Mail bombing made legal... To: M.Wright@icrf.icnet.uk (Mike Wright) Date: Wed, 6 Aug 1997 11:02:53 -0700 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Mike Wright" at Aug 5, 97 10:43:03 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Yes, I have been fighting this type of shit for sometime now. What they > >are doing is bounding the mail off sites like earthlink or at&t > >to delivery the mail to your system. > > So rather than send the spam themselves, they relay it through another > (innocent) service provider's machine and make that machine do all the hard > work for them clogging up their mail queues. > > This basically amounts to theft of services - CPU time and bandwidth. Exactly. But try and get anyone to prosecute... We did a little foot work on one guy, they REALLY looked like mail fraud (they had some bogus scheme for getting credit card #'s and signatures). Neither the FBI (interstate thef of computer resources) nor the USPS (return info via postal mail as all electronic info was totally bogus) were in the least bit interested. We ended up applying filtering rules so that mail either has to be to or from an allowed domain. A real pita. >-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Internet Services Quidquid Latine Dictum Sit, Altum Videtur. <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> From owner-firewalls-outgoing Wed Aug 6 19:51:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA19551 for firewalls-outgoing; Wed, 6 Aug 1997 09:32:22 -0700 (PDT) Received: from gotham.mcny.com (gotham.mcny.com [207.122.13.30]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA19479 for ; Wed, 6 Aug 1997 09:32:04 -0700 (PDT) Received: from localhost (mcnyweb@localhost) by gotham.mcny.com (8.8.5/8.7.2) with SMTP id MAA14971 for ; Wed, 6 Aug 1997 12:32:00 -0400 (EDT) Date: Wed, 6 Aug 1997 12:32:00 -0400 (EDT) From: Media Connection To: firewalls@greatcircle.com Subject: 3 Network cards in 1 firewall?? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to everyone who has helped me thus far. My RFP is coming along nicely. We have 3 networks. The first network is where all of our development and business processed are housed. The second network is a "production network" under tight control (limited shells, no homedirs, etc). The third is a "free for all" where we provide homedirs, telnet, ftp, etc. My questions are: Can 1 firewall handle all 3 networks if it has 3 network cards? If so, does this mean that all traffic will go into the firewall, get verified against the rules within the firewall, and then get routed to the appropriate NIC card? Should we use seperate class C's or subnet? Will each network need a seperate switch/hub, or can one switch/hub serve all 3 networks? Thanks for your help, Lou Person lperson@mcny.com From owner-firewalls-outgoing Wed Aug 6 19:54:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07268 for firewalls-outgoing; Wed, 6 Aug 1997 11:05:18 -0700 (PDT) Received: from pcslink.com (dns.pcslink.com [206.43.160.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA07206 for ; Wed, 6 Aug 1997 11:05:00 -0700 (PDT) Received: (from ryan@localhost) by pcslink.com (8.8.5/8.6.12) id LAA15967; Wed, 6 Aug 1997 11:05:13 -0700 (MST) From: Ryan Mooney Message-Id: <199708061805.LAA15967@pcslink.com> Subject: Re: Mail bombing made legal... To: nick@gsionline.com (Nick Keenan) Date: Wed, 6 Aug 1997 11:05:12 -0700 (MST) Cc: vslabs@onwe.co.za, firewalls@GreatCircle.COM In-Reply-To: <3.0.1.32.19970805095834.009a87b8@peter> from "Nick Keenan" at Aug 5, 97 09:58:34 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >You can trace the any e-mail back to the > >original SMTP server using the headers. Fake headers are usually easy to > >spot. > > I think you're being a little Unix-centric. What if I have a Windows NT > machine, and I load up NTmail (a SMTP server for NT), and I get an IP > address from my favorite ISP -- perhaps aol.com, perhaps some small local > operation -- and I start blasting out spam. How's anyone going to be able > to trace that? Fairly easily. I can at least trace it back to the fact that you were logged in to aol, or some local operation.... At that point I'm relying on the fact that they can trace who was on what port at what time (always a good question). If they can't I'm SOL, if they can I would expect them to LART you appropriately. >-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Internet Services Quidquid Latine Dictum Sit, Altum Videtur. <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> From owner-firewalls-outgoing Wed Aug 6 21:25:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA22086 for firewalls-outgoing; Wed, 6 Aug 1997 12:26:33 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA21931 for ; Wed, 6 Aug 1997 12:25:57 -0700 (PDT) Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id QAA03364; Wed, 6 Aug 1997 16:20:23 -0400 Date: Wed, 6 Aug 1997 15:22:31 -0500 From: "Michael W. Chalkley" Subject: Re: Web Oriented Mail Clients To: Dick_Wall@stratus.com, firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whoops! I didn't know that our web site had *not* been updated with the Mail-Web News-Web client info. It should be available by Monday August 11, 1997. If anyone has any additional questions on these products feel free to e-mail me at mikech@avana.net or give me a call at any of the numbers below. Sorry for the inconvenience. Mike -- 15:22:32 08/06/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Wed Aug 6 21:53:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA22940 for firewalls-outgoing; Wed, 6 Aug 1997 12:30:15 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA22811 for ; Wed, 6 Aug 1997 12:29:43 -0700 (PDT) Received: from unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id PAA08125; Wed, 6 Aug 1997 15:27:29 -0400 Message-ID: <33E8D021.D9A15A69@unifiedtech.com> Date: Wed, 06 Aug 1997 15:27:29 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Eric Vyncke CC: csubasi@garanti.com.tr, Firewalls Subject: Re: Risks of enable RIP... References: <3.0.32.19970806133957.006a8f38@brussels.cisco.com> Content-Type: multipart/mixed; boundary="------------DB261CAE9A2D83B023A855D9" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------DB261CAE9A2D83B023A855D9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Eric Vyncke wrote: > At 09:39 6/08/97 -0700, Cihan Subasi wrote: > >What are the risks of using RIP on the firewalls? > Dynamic routing of a firewall is usually considered as dangerous > because a malicious person could send faked routing information > in the bastion host/firewall which will accordinglt modify > its routing table. > This could lead to: > - denial of services (i.e. redirecting all routes to the intranet > towards a non existing router) ==> blackholing some traffic > - esier IP address spoofing (malicious guy could change its IP > address to an intranet IP address without using source routing) > - ... One important point: these are all real risks of having a firewall LISTEN to RIP. Having the firewall BROADCAST RIP doesn't have any of these risks, AFAIK, and it's a potentially very useful thing to do if you want to have redundant firewalls. --------------DB261CAE9A2D83B023A855D9 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies adr: ;;105 Jordan Road;Troy;NY;12180;US email;internet: mike.jones@unifiedtech.com title: Sr. Technology Advisor tel;work: (518) 283-1003 tel;fax: (518) 283-1189 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard --------------DB261CAE9A2D83B023A855D9-- From owner-firewalls-outgoing Wed Aug 6 22:51:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA23769 for firewalls-outgoing; Wed, 6 Aug 1997 12:34:51 -0700 (PDT) Received: from mercury.imxexchange.com ([207.82.224.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA23681 for ; Wed, 6 Aug 1997 12:34:17 -0700 (PDT) Received: by mercury.imxexchange.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCA265.0658A2C0@mercury.imxexchange.com>; Wed, 6 Aug 1997 12:34:04 -0700 Message-ID: From: James Terry To: "'Firewalls@GreatCircle.COM'" Subject: RE: PPTP & FW-1 Date: Wed, 6 Aug 1997 12:32:15 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i'm sorry to be so ignorant, but could someone please clear this up for me?; IS IT POSSIBLE, using Microsofts PPTP (windows client, NT server) to establish a FULLY secured connection through FW-1 3.0? (non VPN) What i want is SECURED authentication AND secured communication: authenticity & confidentiality. thanks, james@imx-exchange.com. >-----Original Message----- >From: Russ [SMTP:Russ.Cooper@RC.on.ca] >Sent: Wednesday, August 06, 1997 5:10 AM >To: Firewalls@GreatCircle.COM; 'snorthc@nswc.navy.mil' >Subject: RE: PPTP & FW-1 > >PPTP's control connection uses TCP/UDP 1723. TCP/UDP 5678 was indicated >in the initial draft proposal for the PPTP protocol, but NT 4.0 was >released using the IANA assigned port number 1723. > >GRE, IP Protocol 47 (not a TCP or UDP port) is used for the data tunnel. > >Obviously if you implement a rule on FW-1 (or any Firewall) specifying >TCP/UDP 5678 for the control channel, you're not going to be able to get >any NT or Win95-based PPTP machines to work since they will try to set >up their control channel over TCP1723. > >Some Front-End Processors (FEPs) may actually make the PPTP control >connection themselves, and then relay the PPP traffic through the tunnel >they've established. In this case, your rules need to be based on the IP >address of the FEP, not the IP address assigned to the client by the >ISP. > >If you are doing PPTP over a client network adapter, then your rules are >based on the client's original IP address. > >IP addresses assigned by the PPTP server need to be from a subnet other >than one existing on your PPTP server networks, otherwise your clients >will end up with their PPTP network gateway being seen as an address on >their physical network adapter, rather than an addressed reached through >their virtual network adapter created by the PPTP tunnel. > >Finally, remember that GRE is *not* encryption, merely encapsulation. No >valuable security is gained by encapsulation, so enable PPP encryption >on the Dial-up connection on the client to obtain any security. > >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security >owner of the NTBugTraq Mailing List - http://ntbugtraq.rc.on.ca/ From owner-firewalls-outgoing Wed Aug 6 23:04:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA14762 for firewalls-outgoing; Wed, 6 Aug 1997 11:48:54 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA14746 for ; Wed, 6 Aug 1997 11:48:45 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA06438; Wed, 6 Aug 1997 14:49:18 -0400 Received: from vaxa.PIOS.COM (vaxa.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IM4G5V38348WYPKP@gemini.pios.com> for firewalls@greatcircle.com; Wed, 06 Aug 1997 14:51:18 -0400 (EDT) Received: from cal_133.cal.pios.com (cal02.CAL.PIOS.COM) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IM4G6562HC8Y5IS3@PIOS.PIOS.COM> for firewalls@greatcircle.com; Wed, 06 Aug 1997 14:51:33 -0400 (EDT) Date: Wed, 06 Aug 1997 11:48:47 -0700 From: Bill Stout Subject: Re: Mail bombing made legal... X-Sender: stoutb@192.168.0.37 To: firewalls@greatcircle.com Message-Id: <2.2.32.19970806184847.008e6b94@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:58 PM 8/4/97 -0400, you wrote: >Yes, it is true. You need to change your SMTP server to stop relaying. >You may need to get a new version of sendmail. I'm not familiar with how to do that with sendmail.cf. From what I know, you cannot prevent source connections from the internet into smap/smtp, with destinations on the internet. If it can be done, maybe you could tell 'true.net' how to do that. In fact, how about a standardized anti-SPAM response to 'abuse@domain.com" messages instructing them or pointing them to a URL on how to do that? How about a subject of 'Open season on Mail bombers'? I'd love to find a way to retaliate against spammers, and put them out of business once and for all. It's a case of 'free speech' vs. 'unauthorized use of server services', 'resource consumption' and group harassment. Any enemy lists of SPAM software/service companies out there? Maybe _they_ should feel the aggressive wrath of world-wide security experts, firewallers and their tools coming down on them all at once. Incoming SMTP connections can be sniffed and filtered, and a coordinated effort (via webpage?) can be made to track down and target spammers for the appropriate cyber, legal, or financial response. Bill Stout P.S. - SpamHater program @ http://www.cix.co.uk/~net-services/spam/ _________________________________________________________________ Return-path: Date: Wed, 06 Aug 1997 12:25:47 -0400 From: "Luis E. Mu#oz" Subject: Re: Please remove me from this SPAM list Sender: lem@true.NET To: Bill Stout Cc: postmaster@true.NET Organization: TRUEnet Red Internacional de Informacion References: <2.2.32.19970806162053.009731cc@192.168.0.37> Dear folks: All of you have recently sent email pertaining to a spamming incident to postmaster@true.net. I would like to give further info about this: (1) The spammer is NOT our customer, user or is somewhat related to us, to the best of our knowledge. (2) The spammer is using our mail servers, as well as others from other ISPs, to send out the junk-mail. (3) We've been taking measures to stop this abuse, however, the spammer is using random IP numbers from PSI. Blocking all of PSIs IPs is not an option for us. We, as well as you, are affected by this abuse because of the ammount of resources it's consuming in our servers. We're following this issue closely in order to end the abuse as soon as possible. Best regards. From owner-firewalls-outgoing Wed Aug 6 23:21:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA08114 for firewalls-outgoing; Wed, 6 Aug 1997 22:41:36 -0700 (PDT) Received: from helios.iconn.com.ph (helios.iconn.com.ph [203.176.4.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id WAA08077 for ; Wed, 6 Aug 1997 22:41:19 -0700 (PDT) Received: from dulcea.iconn.com.ph (rml@[203.176.4.22]) by helios.iconn.com.ph (8.6.12/8.6.9) with SMTP id NAA32547; Thu, 7 Aug 1997 13:41:48 +0800 Date: Thu, 7 Aug 1997 18:30:17 +0800 (HKT) From: Ronald Lachenal To: Ryan Mooney cc: firewalls@GreatCircle.COM Subject: Re: Mail bombing made legal... In-Reply-To: <199708061805.LAA15967@pcslink.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 6 Aug 1997, Ryan Mooney wrote: > Fairly easily. I can at least trace it back to the fact that you were > logged in to aol, or some local operation.... At that point I'm > relying on the fact that they can trace who was on what port at what > time (always a good question). If they can't I'm SOL, if they can I > would expect them to LART you appropriately. Unfortunately, a lot of providers choose to ignore any request for information when it comes to things that could possibly lead to apprehending and/or offending their users. -- Ronald M. Lachenal hotblack@dulcea.iconn.com.ph www.iconn.com.ph EC:141.949150 VO:812.8023 FX:810.3614 PGP: 71CAC8C188BC.5CE82F4095AA.7AD0C5E1 From owner-firewalls-outgoing Thu Aug 7 00:05:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA10803 for firewalls-outgoing; Wed, 6 Aug 1997 22:57:48 -0700 (PDT) Received: from mail.pixi.com (hoku.pixi.com [206.127.224.83]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA10762 for ; Wed, 6 Aug 1997 22:57:04 -0700 (PDT) Received: from www.sersol.com (www.sersol.com [206.127.255.227]) by mail.pixi.com (8.8.5/8.8.5/PIXI-5.2) with SMTP id TAA15542 for ; Wed, 6 Aug 1997 19:57:51 -1000 (HST) Received: by www.sersol.com with Microsoft Mail id <01BCA2A2.900A5850@www.sersol.com>; Wed, 6 Aug 1997 19:54:34 -1000 Message-ID: <01BCA2A2.900A5850@www.sersol.com> From: "James D. Wilson" To: "'firewalls@GreatCircle.COM'" Subject: RE: Mail bombing made legal... Date: Wed, 6 Aug 1997 19:54:32 -1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since the topic of the days seem to be revolving around spamming, I made some notes for a friend on how to track down those email messages which contain web sites to visit (I don't bother with the ones that just have a PO Box or snailmail address as its rarely worth the effort.) Any suggestions additions or comments? ------------------------------------------------------------------------------------------------------- Some ways to track down a spammer with a site on the net. 1. Find the website in the message and do a whois on the domain. For example, in the body of this spam message, you find: ---- 8< snip -------------------------------- If you feel you want to become a DISTRITUBOR, take a look at : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ---- 8< snip -------------------------------- Now find out info on their website: (note I started out by leaving off the "www"; if you don't get a match, try it with the "www") # whois dirtbag.com Dirtbagspammer (DIRTBAG-DOM) 144 Gauthier Terrebonne, QC J6w5g3 Canada Domain Name: DIRTBAG.COM Administrative Contact: Beauregard, Daniel (DB5223) xx681362@ANON.PENET.FI 514-961-2599 (FAX) 514-961-2599 Technical Contact, Zone Contact, Biggest Dirtbag: Wallace, Sanford (SW1708) domreg@CYBERPROMO.COM 215-628-9780 Billing Contact: Beauregard, Daniel (DB5223) xx681362@ANON.PENET.FI 514-961-2599 (FAX) 514-961-2599 (Hmmmmm DB5223, is that short for the domain name? Nah, just the "handle" of the billing contact who is afraid to have a real email address so he hides behind an anonymous account out of Finland.) Record last updated on 17-Mar-97. Record created on 17-Mar-97. Database last updated on 6-Aug-97 04:21:02 EDT. Domain servers in listed order: NS7.CYBERPROMO.COM 205.199.2.250 NS9.CYBERPROMO.COM 207.124.161.50 NS8.CYBERPROMO.COM 207.124.161.65 NS5.CYBERPROMO.COM 205.199.212.50 You immediately see that this is from the scum of the earth, Cyberpromo. Now you need to find out who is providing the site with internet access. To do this you need the IP (numeric) address of the web site. An easy way to find out is to try and telnet to the site, or even better traceroute to the site. # telnet www.dirtbag.com trying 204.137.220.48 ----- 8< snip # traceroute dirtbag.com traceroute to dirtbag.com (204.137.220.48), 30 hops max, 40 byte packets 1 yoursite (123.45.67.89) 40 ms 30 ms 30 ms 2 207.115.135.145 (207.115.135.145) 30 ms 40 ms 30 ms 3 207.115.135.209 (207.115.135.209) 180 ms 250 ms 230 ms 4 901.Hssi5-0.GW1.DFW1.ALTER.NET (137.39.138.25) 280 ms 230 ms 250 ms 5 137.39.21.10 (137.39.21.10) 260 ms 210 ms 200 ms 6 108.Hssi4-0.CR2.TCO1.Alter.Net (137.39.69.145) 230 ms 250 ms 290 ms 7 137.39.21.157 (137.39.21.157) 310 ms * 370 ms 8 mae-east.agis.net (192.41.177.145) 280 ms 320 ms 360 ms 9 204.157.38.250 (204.157.38.250) 310 ms 340 ms 300 ms 10 * a0.1010.newyork1.agis.net (206.185.152.245) 320 ms 370 ms 11 206.185.158.229 (206.185.158.229) 310 ms 350 ms 330 ms 12 * # Now you want to track down the network addresses. If the address is between 1.0.0.0 and 127.255.255.255: whois xxx.0.0.0, where xxx is the first value If the address is between 128.0.0.0 and 191.255.255.255: whois xxx.yyy.0.0, where xxx is the first value and yyy is the second value in the address If the address is between 192.0.0.0 and 223.255.255.255: whois xxx.yyy.zzz.0, where xxx is the first value yyy is the second value in the address, and zzz is the third value in the address. This is the third type of address, so: # whois 204.137.220.0 AGIS/Net99 (NETBLK-AGISAA) 3601 Pelham Dearborn, MI 48124 Netname: AGISAA Netblock: 204.137.128.0 - 204.137.223.255 Maintainer: AGIS -- This shows that this is part of a netblock or -- group of contiguous addresses between -- 204.137.128.0 and 204.137.223.255, and the -- address we are looking for falls within that -- range. -- -- If you don't get good working addresses/phone -- numbers from the site itself, you can focus -- in on their DNS providers, or even -- the DNS provider's DNS provider. Coordinator: AGIS DNS Administration (ADA2-ORG) dns-admin@AGIS.NET (313)-730-5151 Alternate Contact: AGIS DNS Administration (AGIS-NOC) noc@agis.net (313)-730-5151 fax- (313)-359-4108 Domain System inverse mapping provided by: NS3.AGIS.NET 205.137.48.7 NS1.AGIS.NET 205.137.48.5 NS2.AGIS.NET 205.137.63.2 Record last updated on 14-Feb-97. Database last updated on 6-Aug-97 04:21:02 EDT. This tells you that AGIS is the network provider for this site. It also provides you with fax numbers, phone numbers, email addresses. USE THEM! If everyone who gets spam tracks down the ISP and faxes them complaint letters, say 1 to 4 times a day, and emails them 1 to 4 times a day until they respond to you, we just might motivate them to do something about the problem. Imagine if they spam 1000 people, and these 1000 people fax and email them four times a day until they stop - remember that this is not harassment, as you will stop as soon as they make the spammers stop. Until then, you are just reporting the continuing problem to them to assist them in resolving the problem :-) ================================================== Here are the headers of the message. The methods of displaying full headers is specific to your mail client. It is important that you make sure you always forward the headers to the ISP at the various abuse@ISP.COM, postmaster@ISP.COM, sales@ISP.COM, root@ISP.COM, support@ISP.COM, dns@ISP.COM, domreg@ISP.COM, etc. as you see fit. Usually one or two of the above variations will get through and ensure your message is received :-) The headers will track the message from relay to relay, starting with the delivery to your site, ending with the supposed origination site. Most of the time this information will at best help you identify which ISP is allowing relaying, or remailing through their site of "spoofed" header messages. It is important that you also make the relay sites aware of this just as if they were the spammers themselves, as their inaction is resulting in your being spammed. Received: from regulus.net (root@[205.199.4.206]) by mail.pixi.com (8.8.5/8.8.5/PIXI-5.2) with ESMTP id DAA01452 for ; Wed, 6 Aug 1997 03:50:30 -1000 (HST) From: ynter@spica.net Received: from ynter@spica.net by regulus.net (8.8.6/8.8.5) with ESMTP id BAA26422 for <@regulus.net:netsurf@pixi.com>; Wed, 6 Aug 1997 01:53:31 -0400 (EDT) -- Notice the reference to www.iemmc.org. So far that -- site has had no real effect on the spamming problem, -- and their registration process doesn't work a good -- part of the time. They even tell you to keep registering -- again, and again, and again, and again until it works. -- What a joke! X-Advertisement: Visit http://www.iemmc.org for name removal information. Date: Wed, 06 Aug 97 07:56:01 EST To: another.victim@somewhere.com Subject: 40,000 ++ PRODUCTS FOR YOU Message-ID: <> X-UIDL: aa9dc01e126e4bb1874d1d4d625c9df9 ================================================================== From: subhuman@dirtbag.com Sent: Wednesday, August 06, 1997 2:56 AM To: xxx Subject: 40,000 ++ PRODUCTS FOR YOU Dear xxx, HOW DO YOU FIND THE RARE PEARL AT A PRICE SO LOW ? THAT YOU CAN MAKE A HUGE PROFIT, RESELLING WHOLESALE OR RETAIL ? WELL JUST HIT THIS SITE : THERE IT IS..... 40,000 + ADDRESSES OF OF MANUFACTURERS, WHOLESALERS, If you feel you want to become a DISTRITUBOR, take a look at : ................................................................ -- Notice how they claim to have a removal process - -- be very wary, as more often than not this will guarantee -- your being added to mailing lists they sell again -- and again. Before you visit their website you probably -- want to turn on warnings before setting cookies so you -- can keep them from dropping their fecal deposit on your -- drive. If you want to be remove from our list just put:"REMOVE" in the subject line. We will gladly take your name out of our list, We are very sorry if you received this notice by error. ======================================================================== Yeah, and the check is in the mail, and I promise I won't... ------------------------------------------------------------------------------------------------------- Aloha, - James D. Wilson netsurf@pixi.com http://www.pixi.com/~netsurf/ Support the Anti-spam amendment: http://www.cauce.org/ From owner-firewalls-outgoing Thu Aug 7 00:12:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA05654 for firewalls-outgoing; Wed, 6 Aug 1997 13:37:05 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA05600 for ; Wed, 6 Aug 1997 13:36:45 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCA287.42498390@bdc9000.pccmis.com>; Wed, 6 Aug 1997 16:39:07 -0400 Message-ID: From: Chris Brenton To: "'firewalls@GreatCircle.COM'" Subject: RE: Mail bombing made legal... Date: Wed, 6 Aug 1997 16:39:05 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>This basically amounts to theft of services - CPU time and bandwidth. >> >>Mike Wright, >>Network Support, Phone 0171 269 3618. > > No doubt about it. It is theft of services. I talked with our >university lawyer yesterday after I caught some spammer relaying 2248 >messages through one of my systems clogging up the queue and causing a >delay which amounts to a denial of service. I was told by our lawyer >that we can go after them to the fullest extent of both state and federal >law for theft of sevices. Of course now the problem becomes how do you put a price on this. If your system spends a few hours forwarding these 2,248 messages, but continues to perform other functions at the same time: 1) what do you use as metrics to determine it's cost impact to your environment 2) How do you express this in terminology that can be appreciated in a court of law The real cost impact is cleaning up the mess after this spammer has pissed off a number of trigger happy individuals who respond by flaming. This may be harder to be compensated for since the individual is not directly responsible for the problem even though they caused it. For example, I tell Jim that Bob stole his watch. Jim goes out and shoots Bob. While I can be considered an accessory, I am not considered to be fully responsible as it was Jim who ultimately caused the problem (Bob dying). Clearly something beyond simple "theft" is needed to properly regulate this type of activity. If nothing else I would hope it makes people think before they strike. I had someone do something similar to an environment I was running about 3 years ago. Even though the post did not originate from our domain and the spam itself caused no disruption, the flames we received shutdown our mail system for close to 5 days. Just my two cents... Chris Brenton cbrenton@pccmis.com ************************************************** Back Up My Hard Drive? How do I put it in Reverse? ************************************************** From owner-firewalls-outgoing Thu Aug 7 01:34:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA13785 for firewalls-outgoing; Wed, 6 Aug 1997 11:43:19 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-7.mail.demon.net [194.217.242.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA13766 for ; Wed, 6 Aug 1997 11:43:12 -0700 (PDT) Received: from mailgate.browns.co.uk ([194.217.147.100]) by punt-2.mail.demon.net id aa0627178; 6 Aug 97 18:54 BST Received: from santi.browns.co.uk by post.browns.co.uk id aa00455; 6 Aug 97 18:58 BST Message-ID: <33E8B834.981D1096@browns.co.uk> Date: Wed, 06 Aug 1997 18:45:24 +0100 From: Santi Ribas Reply-To: santi@browns.co.uk Organization: Brown's Operating System Services X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls List Subject: Proxy telnet client X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Does any one if there is in the market a Telnet client software that can be run through a proxy server? (in the same way you have it for web, ftp...) Thanks in advance.. Santi From owner-firewalls-outgoing Thu Aug 7 03:57:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA18053 for firewalls-outgoing; Thu, 7 Aug 1997 02:53:29 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA18046 for ; Thu, 7 Aug 1997 02:53:21 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCA2F6.95774F10@bdc9000.pccmis.com>; Thu, 7 Aug 1997 05:56:01 -0400 Message-ID: From: Chris Brenton To: "'firewalls@GreatCircle.COM'" Subject: RE: PPTP & FW-1 Date: Thu, 7 Aug 1997 05:55:58 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >i'm sorry to be so ignorant, but could someone please clear this up for >me?; > > >IS IT POSSIBLE, using Microsofts PPTP (windows client, NT server) to >establish a FULLY secured >connection through FW-1 3.0? (non VPN) > >What i want is SECURED authentication AND secured communication: >authenticity & confidentiality. >thanks, >james@imx-exchange.com. Then PPTP is not for you. As mentioned in an earlier post, PPTP is based on PPP which uses PAP and CHAP for authentication. While this is fine for a dial-up line, it presents some interesting problems when transmitted over an open network: PAP - Sends passwords as clear text. Provides no authentication during communication which means that sources are not verified. If I transmit data from a third station pretending to be either one of the two systems, the session has no checks to reject this information. CHAP - Allows for encrypted passwords and performs authentication of each system at random time intervals to insure they are who they say they are. Systems are suppose to try CHAP first but it is not that difficult to make the systems drop back to PAP. if I can place myself between your network and the user's ISP, it's a straight forward process to capture their logon name and password. I can now use this information to create a PPTP connection myself (assuming you are not filtering sources on your firewall) or access your network via RAS dial-up if it is configured and I can figure out the phone number. Despite the authentication method used, NT uses a 40 bit key for encryption. The problem is that the key is transmitted as part of the session! There is no facility in place to exchange keys out-of-band or to use a public/private key configuration. In short, if I capture the entire user's session I have all the info I need to crack the transmission. In you need "SECURED", use your firewall's VPN feature along with Secure ID verification. Hope this clears things up for you. Cheers, Chris From owner-firewalls-outgoing Thu Aug 7 04:20:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA14320 for firewalls-outgoing; Thu, 7 Aug 1997 01:57:17 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA14132 for ; Thu, 7 Aug 1997 01:56:29 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp5.cisco.com [171.68.146.26]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA16671; Thu, 7 Aug 1997 10:53:23 +0200 (METDST) Message-Id: <3.0.32.19970807082759.006a4178@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 07 Aug 1997 10:53:43 +0000 To: Mike Jones From: Eric Vyncke Subject: Re: Risks of enable RIP... Cc: csubasi@garanti.com.tr, Firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:27 6/08/97 -0400, Mike Jones wrote: >Eric Vyncke wrote: >> Dynamic routing of a firewall is usually considered as dangerous >> because a malicious person could send faked routing information >> in the bastion host/firewall which will accordinglt modify >> its routing table. ...... >One important point: these are all real risks of having a firewall >LISTEN to RIP. Having the firewall BROADCAST RIP doesn't have >any of these risks, AFAIK, and it's a potentially very useful >thing to do if you want to have redundant firewalls. Mike, you are right. Most firewalls will benefit of having the bastion host/firewall broadcasting routing information. But, there is still the possibility that the router(s) in front of the firewall can be the target of faked routing information (of course ACL can eliminate most -- or even all -- of this faked routing information). Regarding firewalls, I always suggest to: - use static routes - use static ARP table - use an Ethernet switch with fixed port/MAC settings I admit that it is probably an overkill but who knows ???? -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Thu Aug 7 04:24:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA15664 for firewalls-outgoing; Thu, 7 Aug 1997 02:08:25 -0700 (PDT) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA15647 for ; Thu, 7 Aug 1997 02:07:59 -0700 (PDT) From: harley@icrf.icnet.uk Message-Id: <199708070907.CAA15647@honor.greatcircle.com> Received: by europa.lif.icnet.uk; Thu, 7 Aug 1997 10:09:00 +0100 Subject: Re: Mail bombing made legal... To: firewalls@greatcircle.com Date: Thu, 7 Aug 1997 10:09:00 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Any enemy lists of SPAM software/service companies out there? Maybe _they_ > should feel the aggressive wrath of world-wide security experts, firewallers > and their tools coming down on them all at once. Incoming SMTP connections > can be sniffed and filtered, and a coordinated effort (via webpage?) can be > made to track down and target spammers for the appropriate cyber, legal, or > financial response. If you can live with the amount of traffic it generates, it's worth checking out SPAM-L: lots of chat round spam and related issues, pointers to media mentions, procmail recipes and the like. It's a complex issue (and it's well worth telling your users what is and isn't an appropriate response at policy level), and well worth some eavesdropping. A few more links (sorry, there are bound to be duplications): http://www.informatik.uni-kiel.de/%7Eca/email/english.html [sendmail orientated] http://www.sendmail.org/antispam.html [also sendmail orientated....] http://spam.abuse.net/spam/ http://spam.abuse.net/spam/faq.html http://www.ii.com/internet/faqs/launchers/mail/filtering-faq http://www-fofa.concordia.ca/spam/ (good links) http://www-fofa.concordia.ca/spam/FAQs.html http://www.news.com/News/Item/0,4,10875,00.html?owv Journalist's eye view mailto:listserv@peach.ease.lsoft.com with text: SUBSCRIBE SPAM-L firstname lastname http://peach.ease.lsoft.com/archives/SPAM-L.html http://www.cybernothing.org/faqs/net-abuse-faq.html http://members.aol.com/emailfaq/emailfaq.html http://ddi.digital.net/~gandalf/trollfaq.html http://www.cauce.org/ CAUCE - Coalition Against Unsolicited Commercial Email http://www.cauce.org/faq.asp http://www.news.com/Perspectives/mw/mw5_29_97a.html?nd Highly readable rant. -- David Harley | alt.comp.virus FAQ D.Harley@icrf.icnet.uk | & Anti-Virus Web Page Support & Security Analyst | Folk London On-Line gig-list Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/ From owner-firewalls-outgoing Thu Aug 7 04:36:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA14022 for firewalls-outgoing; Thu, 7 Aug 1997 01:56:04 -0700 (PDT) Received: from zaphod.axion.bt.co.uk (zaphod.axion.bt.co.uk [132.146.5.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA13979 for ; Thu, 7 Aug 1997 01:55:48 -0700 (PDT) Received: from snshsnnt04.nat.bt.com (actually www.nat.bt.com) by zaphod.axion.bt.co.uk with SMTP (PP); Thu, 7 Aug 1997 09:51:36 +0100 Received: by www.nat.bt.com with Internet Mail Service (5.0.1458.49) id ; Thu, 7 Aug 1997 09:40:32 +0100 Message-ID: From: Danny Pearce To: "'firewalls@GreatCircle.COM '" , "'Samuel T. Baker '" Cc: "'mhorn@funb.com '" Subject: RE: Bloomberg -Reply -Reply Date: Thu, 7 Aug 1997 09:40:30 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If Bloomberg gave you a controller, I'd be greatly surprised if they did not give you/suggest that you use a router between your net and their net. As much as your net could be compromised by an interactive IP link to Bloomberg, their net is probably a much greater risk and they would therefore have taken measures already to protect themselves from 3rd parties. Sticking a router between your net and the controller, and allow ing a set of predefined port numbers through the router (a list of Bloomberg port numbers should be available from them) should be secure enough. Extremely nervous people could stick do something like: your net=>Firewall=>Router=>Bloomberg but this is rather an expensive solution. Did you check with Bloomberg about security impact before the product was installed ? ---------- From: Samuel T. Baker To: firewalls@GreatCircle.COM Cc: mhorn@funb.com Sent: 8/4/97 4:41 PM Subject:Re: Bloomberg -Reply -Reply ** Low Priority ** Does the Open Bloomberg controller function like a firewall? Does it preclude any direct traffic between the customer network and the Bloomberg networks? Does the Bloomberg controller mediate communication between Bloomberg and the customers? What measures are appropriate to guard this connection and protect the internal network? How confident are you that the Bloomberg controller can be trusted to not route IP traffic? Sam >>> "Mark Horn [ Net Ops ]" 16:35 31 Jul1997 >>> [snip] Actually, it's the Open Bloomberg controller operates as the client. The Open Bloomberg software running on the PC is the server. In other words, the Open Bloomberg controller initiates connections to the software running on the PC. If the PC software isn't running, this connection fails. The controller waits a while and then tries again. When the software on the PC is running, the connection will succeed the PC software can communicate with the controller. -- Mark Horn PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 From owner-firewalls-outgoing Thu Aug 7 04:53:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA11002 for firewalls-outgoing; Thu, 7 Aug 1997 01:33:35 -0700 (PDT) Received: from ms1.src.siemens.es (ms1.src.siemens.es [195.53.72.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA10786 for ; Thu, 7 Aug 1997 01:32:43 -0700 (PDT) Received: by ms1.src.siemens.es with Internet Mail Service (5.0.1458.49) id ; Thu, 7 Aug 1997 10:39:50 +0200 Message-ID: <005349746AE9D011861D0000B43706B424B8@ms1.src.siemens.es> From: cceballos To: "'Firewall News'" Subject: PPTP & FW-1 Date: Thu, 7 Aug 1997 10:39:48 +0200 X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been trying to set up pptp through FW-1, and I get the following erros: On the clients side: The server is not answering to your request, try it again. On the servers side: User name_of_user cannot log in due to a connection time out. User name_of_user disconnected from VPN1. Any ideas??? =A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8= =A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8= =A8=A8=A8=A8=A8=B4=B4=B4=B4=B4 Cristina Ceballos =20 Dpto. Desarrollo Corporativo Siemens Redes Corporativas Tel.: +34 1 514 79 12 Fax: +34 1 514 79 62 mailto:cceballos@src.siemens.es From owner-firewalls-outgoing Thu Aug 7 05:41:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA22180 for firewalls-outgoing; Thu, 7 Aug 1997 03:38:00 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA22169 for ; Thu, 7 Aug 1997 03:37:52 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCA2FC.CDFFE850@bdc9000.pccmis.com>; Thu, 7 Aug 1997 06:40:33 -0400 Message-ID: From: Chris Brenton To: "'firewalls@GreatCircle.COM'" Subject: So where are we going... Date: Thu, 7 Aug 1997 06:40:32 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all, I've recently jumped back on this list after being off it for a year and a half. It's good to see some of the old security gurus like Paul F. still around as well as so many new people that have a clue and are truly helpful in sharing what they know. Kudos to you all. It is interesting to see the changes that have taken place since I was gone. Some things are the same, you still get the occasional person asking what a firewall is, there are Cisco access list questions, and a single spam can still get this list buzzing for days. There are a few things that have definitely changed. For one, a mention of using NT as a firewall platform used to prompt may offers for a lift to the psychiatric ward. Now it appears that it is commonly used as the firewall platform of choice. My question is, what has prompted this? A) NT is now considered a viable firewall platform by some security experts B) The firewall bug has bitten users who are only comfortable with NT C) The MS rhetoric has sold people the bill of goods that "NT is secure enough" D) ? Also, there used to be a healthy conversation regarding many different firewall solutions as well as methods of securing one's network. It now appears that about half of the direct firewall questions deal with FW-1. While I do personally like this product and have used it myself on many occasions, I can't help but worry that a new "mini-microsoft" is in the making. This industry has thrived on new ideas and new ways of solving security concerns. I would hate to think that "stateful inspection" is now considered to be "good enough" and less attention is being paid to the plethora of other security options that are available. This list has grown large enough that I'm sure more than one firewall vendor is using it to determine their product and marketing strategy. Not looking to start any flames or religious wars, just a good clean heated debate. Chris Brenton cbrenton@pccmis.com ************************************************** Back Up My Hard Drive? How do I put it in Reverse? ************************************************** From owner-firewalls-outgoing Thu Aug 7 06:07:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA24908 for firewalls-outgoing; Thu, 7 Aug 1997 00:16:57 -0700 (PDT) Received: from mandarin.rz.hu-berlin.de (mandarin.rz.hu-berlin.de [141.20.3.149]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA24658 for ; Thu, 7 Aug 1997 00:15:50 -0700 (PDT) Received: (from mail@localhost) by mandarin.rz.hu-berlin.de (8.8.5/8.8.5) id JAA02191 for ; Thu, 7 Aug 1997 09:16:44 +0200 Message-Id: <199708070716.JAA02191@mandarin.rz.hu-berlin.de> X-Authentication-Warning: mandarin.rz.hu-berlin.de: mail set sender to using -f Received: from localhost(127.0.0.1) by mandarin.rz.hu-berlin.de via smap (X.X) id xma002163; Thu, 7 Aug 97 09:16:27 +0200 X-Mailer: exmh version 2.0zeta 7/24/97 To: Firewalls List Subject: Re: Proxy telnet client In-reply-to: Your message of "Wed, 06 Aug 1997 18:45:24 BST." <33E8B834.981D1096@browns.co.uk> X-url: http://www.hu-berlin.de/~h0271cbj/ Organization: computer center of humboldt-university, Berlin From: Alexander Geschonneck Reply-to: geschonneck@rz.hu-berlin.de Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 07 Aug 1997 09:16:26 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Hi all, > > Does any one if there is in the market a Telnet client software that can > be run through a proxy server? (in the same way you have it for web, > ftp...) NetTerm has a telnet proxy option. With WinQVT you can define a telnet proxy, too. Alexander Geschonneck ----------------------------------------------------------------- computer center of Humboldt-Universitaet zu Berlin Unter den Linden 6,10099 Berlin-Germany, Phone: +49-30-2093 2482 PGP key via http://www.hu-berlin.de/~h0271cbj/mykey.html or any keyserver ----------------------------------------------------------------- From owner-firewalls-outgoing Thu Aug 7 06:07:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA08066 for firewalls-outgoing; Thu, 7 Aug 1997 05:59:15 -0700 (PDT) Received: from emout03.mail.aol.com (emout03.mx.aol.com [198.81.11.94]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA08014 for ; Thu, 7 Aug 1997 05:58:55 -0700 (PDT) From: Sandibles@aol.com Received: (from root@localhost) by emout03.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id IAA17041 for firewalls@greatcircle.com; Thu, 7 Aug 1997 08:59:37 -0400 (EDT) Date: Thu, 7 Aug 1997 08:59:37 -0400 (EDT) Message-ID: <970807085935_141887021@emout03.mail.aol.com> To: firewalls@greatcircle.com Subject: RADIUS behind TIS Gauntlet FW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to put my RADIUS server behind a TIS Gauntlet firewall. I have a limited number of sites from which I am expecting authentication requests, and would like to limit connections to those machines. As far as I can tell, I can only pass the RADIUS traffic by configuring the packet filtering on the Gauntlet box. I'm clearly not too happy with this from a spoofing perspective. Has anyone done this on their own site? I'd appreciate any input. Thanks, Sandh From owner-firewalls-outgoing Thu Aug 7 06:24:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09707 for firewalls-outgoing; Thu, 7 Aug 1997 06:16:06 -0700 (PDT) Received: from ook.connect.ie (ook.connect.ie [194.106.128.50]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09639 for ; Thu, 7 Aug 1997 06:15:44 -0700 (PDT) From: mjmccann@connect.ie Received: from localhost (d1-ppp-134.connect.ie [194.106.128.134]) by ook.connect.ie (8.8.6/.44/NR) with SMTP id OAA17382; Thu, 7 Aug 1997 14:22:07 +0100 (BST) Message-Id: <3.0.2.16.19970807141738.22574ff4@pop.connect.ie> X-Sender: mjmccann@pop.connect.ie X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (16) Date: Thu, 07 Aug 1997 14:17:38 To: "Neville, Kevin (CCMail)" , Firewalls Subject: Firewalls and Filters In-Reply-To: <9708071256.AA20708@fastbear.bear.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kevin, Point taken. Filters will have to be improved and expanded. Regards Michael At 08:50 07/08/97 -0400, Neville, Kevin (CCMail) wrote: > ...assuming all firewalls in the world parse all email including > encrypted messages and block those messages with the offending >phrase > (btw, 'Multi Level' could easily refer to a network architecture, > salary structure or tax code as well as marketing plan) .... > additionally i would not assume that all members of the mailing >list > are behind firewalls to begin with... > > generally firewalls work well; however if you personally want to >parse > email into your shop, there are products available. the conclusion >in > your mail subject can't be fairly reached with the test you >described. > > ====================================== One single piece of good news brightens the darkest day. Proverb ====================================== From owner-firewalls-outgoing Thu Aug 7 07:12:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07886 for firewalls-outgoing; Thu, 7 Aug 1997 05:57:55 -0700 (PDT) Received: from Bear.COM (wafw.bear.com [207.159.107.81]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA07813 for ; Thu, 7 Aug 1997 05:57:24 -0700 (PDT) Received: by Bear.COM (SMI-8.6/SMI-SVR4) id IAA18741; Thu, 7 Aug 1997 08:46:35 -0400 Received: from fastbear(147.107.87.14) by wafw via smap (V2.0beta) id xma016470; Thu, 7 Aug 97 08:41:10 -0400 Received: from whmsx9.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) sender: KNEVILLE@pcinetgw.bear.com for mjmccann@connect.ie id AA20708; Thu, 7 Aug 97 08:56:55 EDT Message-Id: <9708071256.AA20708@fastbear.bear.com> Received: by whmsx9.bear.com with Internet Mail Service (5.0.1459.10) id ; Thu, 7 Aug 1997 08:50:24 -0400 From: "Neville, Kevin (CCMail)" To: Firewalls , "mjmccann@connect.ie " Subject: RE: Firewalls don't work Date: Thu, 7 Aug 1997 08:50:00 -0400 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1459.10) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ...assuming all firewalls in the world parse all email including encrypted messages and block those messages with the offending phrase (btw, 'Multi Level' could easily refer to a network architecture, salary structure or tax code as well as marketing plan) .... additionally i would not assume that all members of the mailing list are behind firewalls to begin with... generally firewalls work well; however if you personally want to parse email into your shop, there are products available. the conclusion in your mail subject can't be fairly reached with the test you described. -k ______________________________ Reply Separator _________________________________ Subject: Firewalls don't work Author: mjmccann@connect.ie [SMTP:mjmccann@connect.ie] at EXCHANGENA Date: 8/5/97 8:36 AM Wondering if Firewalls actually work, I decided to send an unsolicited E-mail to the Firewalls Mailing list with the words "Multi Level" in the text to clearly indicate a bulk mailing for an unsolicited product. 4 perons replied objecting (one even writing to my postmaster). 19 persons requested details of the product! Back to the drawing boards and a new type of filters, boys and girls. Kind regards Michael ====================================== One single piece of good news brightens the darkest day. Proverb ====================================== -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From owner-firewalls-outgoing Thu Aug 7 07:49:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA10460 for firewalls-outgoing; Wed, 6 Aug 1997 14:06:45 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA10385 for ; Wed, 6 Aug 1997 14:06:23 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id PAA05588; Wed, 6 Aug 1997 15:07:15 -0600 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpda05586; Wed Aug 6 15:07:05 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id PAA15717; Wed, 6 Aug 1997 15:07:06 -0600 From: Bob Beck Message-Id: <199708062107.PAA15717@snouts.obtuse.com> Subject: Re: Mail bombing made legal... To: remco@cal052204.student.utwente.nl (Remco van de Meent) Date: Wed, 6 Aug 1997 15:07:04 -0600 (MDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Remco van de Meent" at Aug 5, 97 07:13:27 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you're a little bit into walking on the edge, and running something Unixish, you can try an smtpd beta. Obtuse smtpd version 2.0 is in beta and supports anti-relaying as well as a number of interesting and effective ways to stop SPAM before you take it. ftp://ftp.obtuse.com/pub/smtpd/beta/ Cheers, -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. From owner-firewalls-outgoing Thu Aug 7 07:54:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA17900 for firewalls-outgoing; Thu, 7 Aug 1997 07:23:17 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA17856 for ; Thu, 7 Aug 1997 07:22:55 -0700 (PDT) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id KAA11581 for ; Thu, 7 Aug 1997 10:23:36 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 7 Aug 1997 10:04:20 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Firewall Appliances Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall appliance market takes off