lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1145973154.26954.ezmlm@securityfocus.com>
Date: 25 Apr 2006 13:52:34 -0000
From: bugtraq-owner@...urityfocus.com
To: bugtraq@...mane.org
Subject: Returned post for bugtraq@...urityfocus.com

Hi! This is the ezmlm program. I'm managing the
bugtraq@...urityfocus.com mailing list.

I'm working for my owner, who can be reached
at bugtraq-owner@...urityfocus.com.

I'm sorry, your message (enclosed) was not accepted by the moderator.
If the moderator has made any comments, they are shown below.

>>>>> -------------------- >>>>>
Once again, good points, but I think if they don't get it by now,
there isn't much hope. ;)
<<<<< -------------------- <<<<<

Return-Path: <bugtraq@...mane.org>
Delivered-To: moderator for bugtraq@...urityfocus.com
Received: (qmail 22506 invoked from network); 22 Apr 2006 09:07:59 -0000
Received: from mail2.securityfocus.com (205.206.231.1)
  by lists2.securityfocus.com with SMTP; 22 Apr 2006 09:07:59 -0000
Received: (qmail 17398 invoked by alias); 22 Apr 2006 15:38:21 -0000
Received: (qmail 17394 invoked from network); 22 Apr 2006 15:38:21 -0000
Received: from main.gmane.org (80.91.229.2)
  by mail2.securityfocus.com with SMTP; 22 Apr 2006 15:38:21 -0000
Received: from main.gmane.org ([80.91.229.2]) by main.gmane.org
          via smtpd (for mail2.securityfocus.com [205.206.231.1]) with ESMTP; Sat, 22 Apr 2006 08:58:32 -0700
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1FXKVf-000588-6b
	for bugtraq@...urityfocus.com; Sat, 22 Apr 2006 17:58:59 +0200
Received: from mail.artimi.com ([217.40.213.68])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <bugtraq@...urityfocus.com>; Sat, 22 Apr 2006 17:58:59 +0200
Received: from davek_throwaway by mail.artimi.com with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <bugtraq@...urityfocus.com>; Sat, 22 Apr 2006 17:58:59 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: bugtraq@...urityfocus.com
From: "Dave \"No, not that one\" Korn" <davek_throwaway@...mail.com>
Subject:  Re: Re[2]: Bypassing ISA Server 2004 with IPv6
Date:  Sat, 22 Apr 2006 16:58:50 +0100
Lines: 58
Message-ID: <e2djrs$d4e$1@....gmane.org>
References:  <C06707F4.2E25%thor@...merofgod.com> <Pine.LNX.4.64.0604162312450.10665@...lla.de>
X-Complaints-To: usenet@....gmane.org
X-Gmane-NNTP-Posting-Host: mail.artimi.com
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Response
Sender: news <news@....gmane.org>

Christine Kronberg wrote:

>   No, I'm suggesting that the application should enable the local
>   administrator to configure that application. Configuring a firewall
>   is a bit more than setting a domain name. It must contain some
>   (preferebly reasonable) filtering mechanisms.
>   From what is said so far this seems not to be possible. If that is
>   true, ISA is broken by design. We are talking about a firewall. A
>   firewall that cannot filter is not a firewall. Agreed?

  That's a false dichotomy.  ISA *can* "filter".  Your complaint is that it 
only filters some things and not others.  **IT IS NOT ISA SERVER'S JOB TO 
FILTER IPv6.

>   Do you think the same applies to ipv4? I said "for what ever reason
>   ipv6 in enabled on ISA"

  IPv6 is not "enabled on ISA".  It may or may not be enabled **ON THE SAME 
MACHINE AS an ISA installation, but that does not make it ISA's 
responsibility, nor wordpad's responsibility, nor sol.exe's responsibility.

>> ISA because the application does not prohibit a local administrator
>> from binding unsupported protocols to interfaces is simply
>> ludicrous. In fact, it
>
>   I still fail to see why an unsupported protocol goes through anyway.

  Then it is time that you got a deeper grasp of the OSI 7-layer stack 
model.

  Any firewall filters only the protocols that it understands.  If it blocks 
everything it does not recognize, it will cripple any other protocols that 
are understood by other networking subsystems.  It is necessary to provide 
filtering for EACH network protocol suite that you install on your computer.

>   Again: If that application is a firewall it's a must to be able to
>   filter. Anything else is not logical.

  Again:  It does filter.  Your mistake is assuming it must be universal. 
Please stop letting the orthographical similarity between "IPv4" and "IPv6" 
throw you off; reconsider what the entire discussion would have looked like 
if the problem was that ISA server filters IPv4 but does not filter Novell 
netware, and everyone told you "Well nobody should install netware on their 
server without also installing a netware firewall", and you said "Well, ISA 
server should be a netware firewall".  If it did so, netware wouldn't work 
when you installed it.

  ISA server is an IPv4 packet filter.  It does not understand any of the 
dozens of other protocol types that may arrive in an ethernet packet over 
the wire.  You seem to be convinced that to be a firewall it must understand 
all protocol types.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ