Date: Sun, 20 Sep 1998 09:11:00 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: rotel@indigo.ie Cc: tlambert@primenet.com, sthaug@nethelp.no, hackers@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets Message-ID: <199809200911.CAA12904@usr06.primenet.com> In-Reply-To: <199809200032.BAA05064@indigo.ie> from "Niall Smart" at Sep 20, 98 01:32:23 am
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm not familiar with the orange book in any detail but suspect C2 > hardening would be of little more use than providing a checkbox in > a feature list; seeing C2 Solaris rooted by a standard exploit > doesn't exactly engender confidence in the level of real-world security > required for certification. You are complaining about a certification issued as the result of a bogus audit. This is a different problem. > > Otherwise, > > griping about something that will never happen given a correctly > > configured firewall, and which "fixing" will break a behaviour that > > is universally known to be useful, seems a bit counter-productive. > > Its unfortunate that useful and well-known features are often both > insecure and acheiveable through secure means. :) You mean "unachievable", right? > How about a compromise - no replies to broadcast ping's from outside > the hosts subnet by default? The IP stack should have discarded these before they got to that point, since that is the point of a subnet mask. If this isn't happening, then I agree that there's a bug, but it's in this area, and not in the area of whether or not broadcast pings should be replied to at all. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809200911.CAA12904>