From owner-freebsd-questions Sun Sep 20 02:11:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14261 for freebsd-questions-outgoing; Sun, 20 Sep 1998 02:11:49 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from smtp01.primenet.com (smtp01.primenet.com [206.165.6.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA14245; Sun, 20 Sep 1998 02:11:41 -0700 (PDT) (envelope-from tlambert@usr06.primenet.com) Received: (from daemon@localhost) by smtp01.primenet.com (8.8.8/8.8.8) id CAA03380; Sun, 20 Sep 1998 02:11:14 -0700 (MST) Received: from usr06.primenet.com(206.165.6.206) via SMTP by smtp01.primenet.com, id smtpd003347; Sun Sep 20 02:11:06 1998 Received: (from tlambert@localhost) by usr06.primenet.com (8.8.5/8.8.5) id CAA12904; Sun, 20 Sep 1998 02:11:00 -0700 (MST) From: Terry Lambert Message-Id: <199809200911.CAA12904@usr06.primenet.com> Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets To: rotel@indigo.ie Date: Sun, 20 Sep 1998 09:11:00 +0000 (GMT) Cc: tlambert@primenet.com, sthaug@nethelp.no, hackers@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <199809200032.BAA05064@indigo.ie> from "Niall Smart" at Sep 20, 98 01:32:23 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I'm not familiar with the orange book in any detail but suspect C2 > hardening would be of little more use than providing a checkbox in > a feature list; seeing C2 Solaris rooted by a standard exploit > doesn't exactly engender confidence in the level of real-world security > required for certification. You are complaining about a certification issued as the result of a bogus audit. This is a different problem. > > Otherwise, > > griping about something that will never happen given a correctly > > configured firewall, and which "fixing" will break a behaviour that > > is universally known to be useful, seems a bit counter-productive. > > Its unfortunate that useful and well-known features are often both > insecure and acheiveable through secure means. :) You mean "unachievable", right? > How about a compromise - no replies to broadcast ping's from outside > the hosts subnet by default? The IP stack should have discarded these before they got to that point, since that is the point of a subnet mask. If this isn't happening, then I agree that there's a bug, but it's in this area, and not in the area of whether or not broadcast pings should be replied to at all. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message