On Wed, 2005-03-02 at 07:13 -0600, Quantum Scientific wrote:
>On Wednesday 02 March 2005 1:21, Elliott Mitchell wrote:
>> >From: Quantum Scientific <Info@xxxxxxxxxxxxxxx>
>> > On Tuesday 01 March 2005 19:19, Elliott Mitchell wrote:
<SNIP>
>You're not listening. You must be a Republican.
Very technical.
>Of course, there's the guy who's asking how to subvert packets before they get
>to ip6tables processing... anybody else wonder why he wants that? Notice
>there's no real answer? He really knows what he's doing, and can't get
>through ip6tables. This will be instructive to most.
Which guy is asking this? Everybody, at least when you are a bit into
kernel programming, that you can do this at a couple of levels and all
of these are inside the kernel (driver, network layers) + hardware and
of course the cable itself.
>
>> Patching is of much greater importance than even the best of firewalls.
>...
>> A system without a firewall, but secure software is safe. A system with
>> a firewall, but insecure software is unsafe.
>
>Although updating is important, the above are nutty ideas. Your membership in
>the Flat Earth Society(tm) is confirmed. Your salary will henceforth be paid
>in Confederate dollars, your medical insurance revoked (it's socialist), and
>your retirement invested in the stock market. Remember: "War is peace.
>Freedom is slavery. Ignorance is strength."
> {goes to rent Fahrenheit 451 and The Handmaiden's Tale}
Whee, free money! :)
>
>> There could be a buffer overflow in the device driver. There could be an
>> overflow in code between the driver netfilter code. These two places are
>> unlikely as they're constructed carefully, but it could happen. You could
>> also have a hole in how your system log handling software which could be
>> triggered through the above firewall. Been a while since the last one,
>> but such holes have been found before, and that are doesn't tend to get
>> as much scrutiny as the kernel.
>
>In order for a buffer overflow to be of use to an attacker, he must be able to
>instigate it, and inject his own code... when was the last time you've heard
>of a NIC driver sploit? Who's going to work for weeks on this, when there
>are thousands of machines like yours out there, only filtering SYN.
What is bad with filtering SYN?
>These
>are not risks for a properly firewalled machine.
Ever run a PIX or FW1? Ask them how nice it was that when they learned
about the magic of fragments and the nice ways you can circument them.
Good that we don't have IP fragments anymore now. Still keeps TCP
fragments though.
Ever heard about tunneling over DNS and many other ways of circumventing
firewalls? Ever read Full-Disclosure, ever been to a security
conference, read a good security paper? I'd suggest you do so.
Computers are not like houses, then again, maybe you can compare a
firewall to a lock that you can open with a crowbar ;)
> I'm getting the idea you
>have this opinion because you had constructed a poor firewall and been
>compromised. This is why I wish Shorewall would take up the mantle.
I don't even use firewalling, except for dropping sources that should
not exist in the first place.
Then again my apps nicely behave on the correct ports and interfaces :)
>Elliott, I've been hoping you are sincere in this discussion, but it now
>appears you are just trolling. I've had enough of you.
>
>Carl Cook
Very nice to call someone a troll when you are named "Cook" :)
Really, personal attacks don't help your non-technical arguments and
trying to insult people. Btw, where are the 'back-comments' about me?
Everybody knows that IPv6 is still in development, accept that, it will
come, but it is not here today. Puncto.
Greets,
Jeroen
signature.asc
Description: This is a digitally signed message part
|