[69394] in North American Network Operators' Group
Re: IOS 12.3(x) Strange service ports open on router
daemon@ATHENA.MIT.EDU (Yann Berthier)
Fri Apr 9 18:19:00 2004
Date: Sat, 10 Apr 2004 00:16:35 +0200
From: Yann Berthier <yb@sainte-barbe.org>
To: nanog@merit.edu
In-Reply-To: <51D1F50F-8A6D-11D8-8702-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 09 Apr 2004, Iljitsch van Beijnum wrote:
>
> On 9-apr-04, at 22:27, Pekka Savola wrote:
>
> >Another pet peeve of roughly the same category: when you enable IPv6,
> >telnet is automatically open to the world (using v6), even if you have
> >disabled v4 telnet with an access-list.
>
> >The vendor refused to believe this is a problem,
>
> Whether or not this is a problem is in the eye of the beholder, but
> from what I've seen, this is standard practice with any kind of packet
> filter. As far as I know, only hosts.allow-style tcp wrapping is
> agnostic about the IP version.
>
> If you want to run a new protocol, you have to configure filters for it
> unless you want to go through life unfiltered. That's the way things
> work.
>
> It's even worse with FreeBSD: if you firewall it to the teeth in v4 and
> disable v6 in the rc.conf, it will still run v6 with link-local
> addresses and allow access to the services that are filtered in v4.
Bad FreeBSD, no cookie for FreeBSD :) But if you don't need IPv6,
remove INET6 from your kernel config file, rc.conf is not the right
place to do it either.
- yann
