North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IOS 12.3(x) Strange service ports open on router

  • From: Yann Berthier
  • Date: Fri Apr 09 18:21:24 2004

On Fri, 09 Apr 2004, Iljitsch van Beijnum wrote:

> 
> On 9-apr-04, at 22:27, Pekka Savola wrote:
> 
> >Another pet peeve of roughly the same category: when you enable IPv6,
> >telnet is automatically open to the world (using v6), even if you have
> >disabled v4 telnet with an access-list.
> 
> >The vendor refused to believe this is a problem,
> 
> Whether or not this is a problem is in the eye of the beholder, but 
> from what I've seen, this is standard practice with any kind of packet 
> filter. As far as I know, only hosts.allow-style tcp wrapping is 
> agnostic about the IP version.
> 
> If you want to run a new protocol, you have to configure filters for it 
> unless you want to go through life unfiltered. That's the way things 
> work.
> 
> It's even worse with FreeBSD: if you firewall it to the teeth in v4 and 
> disable v6 in the rc.conf, it will still run v6 with link-local 
> addresses and allow access to the services that are filtered in v4.

   Bad FreeBSD, no cookie for FreeBSD :) But if you don't need IPv6,
   remove INET6 from your kernel config file, rc.conf is not the right
   place to do it either.

      - yann