|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall-Wizards Digest V1 #311
Chris Brenton (cbrenton
sover.net)
Thu, 03 Jun 1999 08:52:22 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Paul D. Robertson: "Re: Firewall RISKS"
- Previous message: Ge' Weijers: "Re: Anybody have a clue why..."
- In reply to: Will Kempf: "Anybody have a clue why..."
- Next in thread: Kevin Steves: "Re: Firewall-Wizards Digest V1 #311"
- Reply: Kevin Steves: "Re: Firewall-Wizards Digest V1 #311"
Ryan Russell wrote:
>
> Proxies can't do this without an extra shim of some sort,
Why not simply check the data field for the SR tag? A real proxy should
be unable to forward traffic (source routed or not) without proxy
intervention.
> FW-1 doesn't do it..
Actually, it does. It has dropped SR by default since 2.1b or so. I
remember having to apply the patch. ;)
> Besides, you want to be able to configure that off
> in the OS, as another item on your hardening list to make
> it fail closed, or as closed as possible.
Agreed. Common practice is to remove SR support at the OS level when
ever possible.
Cheers,
Chris
-- ************************************** cbrenton* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
- Next message: Paul D. Robertson: "Re: Firewall RISKS"
- Previous message: Ge' Weijers: "Re: Anybody have a clue why..."
- In reply to: Will Kempf: "Anybody have a clue why..."
- Next in thread: Kevin Steves: "Re: Firewall-Wizards Digest V1 #311"
- Reply: Kevin Steves: "Re: Firewall-Wizards Digest V1 #311"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT