On Wed, 25 Apr 2007 23:56:50 +0200 Joachim Schipper <[EMAIL PROTECTED]> wrote:
> On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote: > > On Wed, 25 Apr 2007 20:19:42 +0000 (UTC) > > Tobias Weingartner <[EMAIL PROTECTED]> wrote: > > > > > Chad M Stewart wrote: > > > > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: > > > > > > > > > > pass in inet proto icmp all icmp-type $icmp_types keep state > > > > > > > > This can be used as a covert communication channel. Allowing > > > > internal IPs to send/receive ping is bad. > > > > > > Bull. Not allowing ICMP is just as bad. Worse actually, as you > > > are violating RFCs. Quit spreading this FUD. > > > > hi, > > > > actually, me thinks the same about allowing/denying ICMP as you, > > tobias. however, we recently had a CCIE/NSA certified blahblah guy > > in our company, tuning our, err, Cizcoooeee equipment. > > > > guess what he did -- he violated 'the RFCs'. > > > > unfortunately, i wasn't able to find them on the net. do you have > > them handy? i'm very curious about that :) > > In general, though, it will almost always be possible to get data > in/out of the network. IP-over-DNS comes to mind. If this particular > vector is used by a widely deployed worm, it might be worth it; but > otherwise, just ignore it. yeah, i know -- that's why i watched him doing in my typical skeptical way... > Do you intend to ask where 'the RFCs' are? (If so, www.ietf.org is a > good choice.) Or in what RFC this particular requirement is? (No real > idea...) the latter one... > Joachim > > -- > TFMotD: kadmin (8) - Kerberos administration utility timo
