Firewall Wizards mailing list archives
Re: Firewall-Wizards Digest V1 #311
From: Chris Brenton <cbrenton () sover net>
Date: Thu, 03 Jun 1999 08:52:22 -0400
Ryan Russell wrote:
Proxies can't do this without an extra shim of some sort,
Why not simply check the data field for the SR tag? A real proxy should be unable to forward traffic (source routed or not) without proxy intervention.
FW-1 doesn't do it..
Actually, it does. It has dropped SR by default since 2.1b or so. I remember having to apply the patch. ;)
Besides, you want to be able to configure that off in the OS, as another item on your hardening list to make it fail closed, or as closed as possible.
Agreed. Common practice is to remove SR support at the OS level when ever possible. Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Re: Firewall-Wizards Digest V1 #311 Sandy Green (Jun 01)
- Re: Firewall-Wizards Digest V1 #311 Matt Curtin (Jun 01)
- Re: Firewall-Wizards Digest V1 #311 Carric Dooley (Jun 03)
- <Possible follow-ups>
- Re: Firewall-Wizards Digest V1 #311 Ryan Russell (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Chris Brenton (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Kevin Steves (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 dreamwvr (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Chris Brenton (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Ryan Russell (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Ivan Arce (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 Kevin Steves (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 Matt Curtin (Jun 01)