Wonderful -- a change to default behavior that opens up lots of ports.
This is exactly the wrong direction to go in.
--Steve Bellovin, http://www.research.att.com/~smb
Wonderful -- a change to default behavior that opens up lots of ports.
This is exactly the wrong direction to go in.
--Steve Bellovin, http://www.research.att.com/~smb
No kidding.
Another pet peeve of roughly the same category: when you enable IPv6,
telnet is automatically open to the world (using v6), even if you have
disabled v4 telnet with an access-list.
The vendor refused to believe this is a problem, so I'm waiting for v6
deployment to get really started before writing bugtraq.
Whether or not this is a problem is in the eye of the beholder, but from what I've seen, this is standard practice with any kind of packet filter. As far as I know, only hosts.allow-style tcp wrapping is agnostic about the IP version.
If you want to run a new protocol, you have to configure filters for it unless you want to go through life unfiltered. That's the way things work.
It's even worse with FreeBSD: if you firewall it to the teeth in v4 and disable v6 in the rc.conf, it will still run v6 with link-local addresses and allow access to the services that are filtered in v4.
So, with a cisco style vty acl how does one do both v4 and v6 filterage?
(not speaking as a v6 user)
* christopher.morrow@mci.com (Christopher L. Morrow) [Fri 09 Apr 2004, 23:53 CEST]:
So, with a cisco style vty acl how does one do both v4 and v6 filterage?
(not speaking as a v6 user)
!
line vty 0 4
access-class 1 in
ipv6 access-class v6telnet in
!
-- Niels.
so what was the original complaint about ipv6 and telnet then?
Bad FreeBSD, no cookie for FreeBSD But if you don't need IPv6,
remove INET6 from your kernel config file, rc.conf is not the right
place to do it either.
- yann
Don't forget:
!
ipv6 access-list v6telnet
permit ipv6 3FFE:2500:310::/48 any
permit ipv6 2001:888:1DDE::/48 any
!