Felipe Alfaro Solana wrote:
>
>
> Isn't this how humans learn? By making mistakes and learning
> from them? :)
>
Nah not really.
They watch their brother or sister get burned by a hot stove and
decide maybe better not to find out for themselves.
They watch one of their playmates drown or get r
On Tue, Apr 28, 2009 at 8:35 AM, Claudio Jeker wrote:
> Did you ever check the security record of snort? It is at least as bad as
> wireshark's but it is sitting in the middle of your network passing
> packets. I couldn't sleep with such a system in my core.
> It is also a lot easier to bypass un
* Stuart Henderson [2009-04-28 12:08]:
> On 2009-04-28, Daniel Ouellet wrote:
> > Henning Brauer wrote:
> >> * Daniel Ouellet [2009-04-28 02:49]:
> >>> shut up! All are real and I even learn from Henning about the lost of
> >>> Queue here as well, witch I haven't thought of then. So, loose of
Stuart Henderson wrote:
On 2009-04-28, Daniel Ouellet wrote:
Henning Brauer wrote:
* Daniel Ouellet [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well, witch I haven't thought of then. So, loose of queue,
mean also lost of AltQ too
On 2009-04-28, Daniel Ouellet wrote:
> Henning Brauer wrote:
>> * Daniel Ouellet [2009-04-28 02:49]:
>>> shut up! All are real and I even learn from Henning about the lost of
>>> Queue here as well, witch I haven't thought of then. So, loose of queue,
>>> mean also lost of AltQ too.
>>
>> no
Now it makes sense.
Claudio Jeker wrote:
> but it is sitting in the middle of your network passing
> packets. I couldn't sleep with such a system in my core.
> It is also a lot easier to bypass unnoticed a bridging FW/IDS
> then a box
> that does actual routing.
THAT's why it is called a TRANSP
On Mon, Apr 27, 2009 at 11:20:07PM +0200, Felipe Alfaro Solana wrote:
> On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote:
>
> > On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
> > wrote:
> > > Again, not a single or valid technical argument on why a bridging
> > firewall
> > > is a bad
Henning Brauer wrote:
* Daniel Ouellet [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well, witch I haven't thought of then. So, loose of queue,
mean also lost of AltQ too.
no, this is not related to altq at all.
Thanks for the cor
* Daniel Ouellet [2009-04-28 02:49]:
> shut up! All are real and I even learn from Henning about the lost of
> Queue here as well, witch I haven't thought of then. So, loose of queue,
> mean also lost of AltQ too.
no, this is not related to altq at all.
--
Henning Brauer, h...@bsws.de, henn
Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote:
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
wrote:
Again, not a single or valid technical argument on why a bridging
firewall
is a bad idea. Just a moot and offensive responsive, and a very
strong as
* Felipe Alfaro Solana [2009-04-28 02:08]:
> > > And again, I think you mean that running a bridge under OpenBSD is
> > perhaps
> > > not the fastest or brightest solution. And I trust you, But again, I have
> > > yet to hear a single technical argument on why running, for example,
> > Snort
> > >
On Mon, Apr 27, 2009 at 5:20 PM, Felipe Alfaro Solana
wrote:
> And again, I think you mean that running a bridge under OpenBSD is perhaps
> not the fastest or brightest solution. And I trust you, But again, I have
> yet to hear a single technical argument on why running, for example, Snort
> inlin
On Tue, Apr 28, 2009 at 1:29 AM, Fred Crowson
wrote:
> On 4/27/09, Felipe Alfaro Solana wrote:
> > On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst
> wrote:
> >
> >> On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
> >> wrote:
> >> > Again, not a single or valid technical argument on why a br
On Tue, Apr 28, 2009 at 1:16 AM, Robert wrote:
> On Mon, 27 Apr 2009 23:20:07 +0200
> Felipe Alfaro Solana wrote:
>
> > And again, I think you mean that running a bridge under OpenBSD is
> > perhaps not the fastest or brightest solution. And I trust you, But
> > again, I have yet to hear a singl
On 4/27/09, Felipe Alfaro Solana wrote:
> On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote:
>
>> On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
>> wrote:
>> > Again, not a single or valid technical argument on why a bridging
>> firewall
>> > is a bad idea. Just a moot and offensive res
On Mon, 27 Apr 2009 23:20:07 +0200
Felipe Alfaro Solana wrote:
> And again, I think you mean that running a bridge under OpenBSD is
> perhaps not the fastest or brightest solution. And I trust you, But
> again, I have yet to hear a single technical argument on why running,
> for example, Snort in
On Mon, Apr 27, 2009 at 3:02 PM, openbsd misc wrote:
>> You can either read the code or listen to somebody who has. I don't
>> know you either, but I know Henning and I know the bridge code, and
>> the short version is he's right.
>>
>>
> Has anyone noticed
>
> That if you substitute BIble for c
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote:
> On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
> wrote:
> > Again, not a single or valid technical argument on why a bridging
> firewall
> > is a bad idea. Just a moot and offensive responsive, and a very
> > strong assessment from so
openbsd misc wrote:
>
> > You can either read the code or listen to somebody who has. I don't
> > know you either, but I know Henning and I know the bridge code, and
> > the short version is he's right.
> >
> >
> Has anyone noticed
>
> That if you substitute BIble for code , in the section quot
On Mon, Apr 27, 2009 at 3:02 PM, openbsd misc wrote:
>> You can either read the code or listen to somebody who has. I don't
>> know you either, but I know Henning and I know the bridge code, and
>> the short version is he's right.
>>
>>
> Has anyone noticed
>
> That if you substitute BIble for c
> You can either read the code or listen to somebody who has. I don't
> know you either, but I know Henning and I know the bridge code, and
> the short version is he's right.
>
>
Has anyone noticed
That if you substitute BIble for code , in the section quoted above-
its like listening to someone
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
wrote:
> Again, not a single or valid technical argument on why a bridging firewall
> is a bad idea. Just a moot and offensive responsive, and a very
> strong assessment from someone that doesn't know me at all. It's also very
> sad to see so
On Sun, 26 Apr 2009, bofh wrote:
Anyone who puts in an inline IDS is a damned idiot. D stands for
detection, so you should always use a tap or something else. Only IPS
should be inline.
I know of inline IDS systems that work, but they're custom hardware
solutions running on FPGA based cards,
On Sun, 26 Apr 2009, Felipe Alfaro Solana wrote:
SNIP
Really? What's wrong with transparent bridging? What's wrong with a
transparent, in-line IDS? What's wrong with a software tap? All of these
technologies use some sort of transparent bridging and are not being used
exclusively by idiots, but a
-2006_str22-33_snort_EN.pdf
and not a pure bridge, as described in the links you sent.
>
> Best,
> Marcello
>
> - Original Message - From: "Daniel Ouellet"
> To: "Openbsd-Misc"
> Sent: Monday, April 27, 2009 12:10 AM
> Subject: Re: Transpa
On Mon, Apr 27, 2009 at 1:00 PM, Henning Brauer wrote:
> * Felipe Alfaro Solana [2009-04-27 11:56]:
> > For a two-interface router/firewall, most of the traffic that reaches is
> > will probably have to traverse it anyways, so I don't see how a
> > two-interface bridge or a two-interface router w
/technology/handbook/Bridging-Basics.html
Best,
Marcello
- Original Message -
From: "Daniel Ouellet"
To: "Openbsd-Misc"
Sent: Monday, April 27, 2009 12:10 AM
Subject: Re: Transparent firewall (bridge) with DMZ + LAN
patrick keshishian wrote:
On Sun, Apr 26, 2009 at
* Felipe Alfaro Solana [2009-04-27 11:56]:
> For a two-interface router/firewall, most of the traffic that reaches is
> will probably have to traverse it anyways, so I don't see how a
> two-interface bridge or a two-interface router will have different
> workloads.
it has been pointed out, but if
On Mon, Apr 27, 2009 at 5:10 AM, Daniel Ouellet wrote:
> patrick keshishian wrote:
>
>> On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote:
>>
>>> It's called going off on a related tangent - whenever I hear people
>>> talking about using something because someone has published a paper
>>> and here's a
Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 1:10 AM, bofh wrote:
People use it because they have a need to do something. When you're
told there's a better way to do things, pay attention,
Still no arguments on why idiots use transparent firewalls. Good to know.
Just read up on.. fo
* Henning Brauer [2009-04-27 10:00]:
> "transparent" firewalls are beyond stupid.
and, btw, I love that idiotic term.
what is a transparent firewall?
is it trasparent? then it cannot be a firewall.
is it a firewall? then it cannot be transparent.
how is dropping packets (or even sending sth back
* FRLinux [2009-04-27 09:05]:
> On Mon, Apr 27, 2009 at 4:10 AM, Daniel Ouellet wrote:
> > The bright people that did the code said it wasn't good to do so. The normal
> > operations of such a setup needs more resources from the same box to do the
> > same things, showing in practice that it's no
* Felipe Alfaro Solana [2009-04-26 20:37]:
> On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer wrote:
>
> > * openbsder [2009-04-24 12:19]:
> > > Recently, it has been suggested that a transparent firewall
> > implementation
> > > is ideal where possible. But as far as I understand, transparency i
On Mon, Apr 27, 2009 at 4:10 AM, Daniel Ouellet wrote:
> The bright people that did the code said it wasn't good to do so. The normal
> operations of such a setup needs more resources from the same box to do the
> same things, showing in practice that it's not the most efficient way to do
> so wit
patrick keshishian wrote:
On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case nat
On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote:
> It's called going off on a related tangent - whenever I hear people
> talking about using something because someone has published a paper
> and here's all these smart people using it (transparent bridging, etc,
> or in my case natting externally acces
bofh wrote:
> ... When you're
> told there's a better way to do things, pay attention, instead of
> telling the experts here (and I'm talking about the openbsd developers
> in this thread - not me, I'm in management now, no brain cells left)
... old age is my excuse ... but it pays to pay attentiio
On Mon, Apr 27, 2009 at 1:10 AM, bofh wrote:
> It's called going off on a related tangent - whenever I hear people
> talking about using something because someone has published a paper
> and here's all these smart people using it (transparent bridging, etc,
> or in my case natting externally acce
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case natting externally accessible/routable hosts), it pisses
me off.
People use i
On Sun, Apr 26, 2009 at 9:21 PM, bofh wrote:
> Anyone who puts in an inline IDS is a damned idiot. D stands for
> detection, so you should always use a tap or something else. Only IPS
> should be inline.
You should provide arguments, not empty words. At least, if you are calling
people idiot.
Anyone who puts in an inline IDS is a damned idiot. D stands for
detection, so you should always use a tap or something else. Only IPS
should be inline.
You obviously do not know what you're talking about. Things like NAT
have their uses to, but people who design networks including DMZs and
net
On Sun, April 26, 2009 08:01, FRLinux wrote:
> On Sun, Apr 26, 2009 at 1:39 AM, Daniel Ouellet
> wrote:
>> But he is suggesting to avoid it at any cost when possible.
>
> Sorry but I do not understand why?
>
> Cheers,
> Steph
me too. really curious about his.
matheus
--
We will call you cygnus
On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer wrote:
> * openbsder [2009-04-24 12:19]:
> > Recently, it has been suggested that a transparent firewall
> implementation
> > is ideal where possible. But as far as I understand, transparency is only
> > available when the firewall acts as a bridge
On Sun, Apr 26, 2009 at 1:39 AM, Daniel Ouellet wrote:
> But he is suggesting to avoid it at any cost when possible.
Sorry but I do not understand why?
Cheers,
Steph
FRLinux wrote:
On Sat, Apr 25, 2009 at 2:57 PM, Henning Brauer wrote:
bridging is stupid. don't. there are cases where you can't avoid it,
but deliberately? about as clever as knowingly drinking methanol.
Hello Henning,
Sorry for asking, but just to make sure I understand your statement,
do
On Sat, Apr 25, 2009 at 2:57 PM, Henning Brauer wrote:
> bridging is stupid. don't. there are cases where you can't avoid it,
> but deliberately? about as clever as knowingly drinking methanol.
Hello Henning,
Sorry for asking, but just to make sure I understand your statement,
do you mean, bridg
* openbsder [2009-04-24 12:19]:
> Recently, it has been suggested that a transparent firewall implementation
> is ideal where possible. But as far as I understand, transparency is only
> available when the firewall acts as a bridge between TWO networks. How would
> I keep my DMZ and LAN both while
Sorry for the confusion. I understand that bridging is possible under
OpenBSD but it's also my understanding that if I have interfaces A, B, and
C, I can bridge A to either B or C, but not both. Is this correct?
Referring to this topology:
http://upload.wikimedia.org/wikipedia/commons/6/6f/DMZ_net
On Fri, Apr 24, 2009 at 12:12 PM, openbsder wrote:
> I am currently interested in setting up a three-legged network topology,
> using OBSD+PF as the firewall appliance. Originally, I was going to simply
> have the firewall equipped with three network cards: one for DMZ, one for
> LAN, the other f
I am currently interested in setting up a three-legged network topology,
using OBSD+PF as the firewall appliance. Originally, I was going to simply
have the firewall equipped with three network cards: one for DMZ, one for
LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was
fo
I'm currently interested in setting up a three-legged network, using OBSD+PF
as the firewall. Originally, I had jus
51 matches
Mail list logo
