[69389] in North American Network Operators' Group
Re: IOS 12.3(x) Strange service ports open on router
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Apr 9 17:32:59 2004
In-Reply-To: <Pine.LNX.4.44.0404092322430.26414-100000@netcore.fi>
Cc: "<nanog@merit.edu>" <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Fri, 9 Apr 2004 23:31:53 +0200
To: Pekka Savola <pekkas@netcore.fi>
Errors-To: owner-nanog-outgoing@merit.edu
On 9-apr-04, at 22:27, Pekka Savola wrote:
> Another pet peeve of roughly the same category: when you enable IPv6,
> telnet is automatically open to the world (using v6), even if you have
> disabled v4 telnet with an access-list.
> The vendor refused to believe this is a problem,
Whether or not this is a problem is in the eye of the beholder, but
from what I've seen, this is standard practice with any kind of packet
filter. As far as I know, only hosts.allow-style tcp wrapping is
agnostic about the IP version.
If you want to run a new protocol, you have to configure filters for it
unless you want to go through life unfiltered. That's the way things
work.
It's even worse with FreeBSD: if you firewall it to the teeth in v4 and
disable v6 in the rc.conf, it will still run v6 with link-local
addresses and allow access to the services that are filtered in v4.
