Prev: Web site login problems
Next: Problem getting Server Side Includes SSI to work on Fedora 8.
From: Chris Davies on 18 Apr 2008 07:48
Andy Burns <usenet.april2008(a)adslpipe.co.uk> wrote:
> That's a "link local" IPv6 address, but is not routable from other
> subnets, it's the equivalent of a 169.x.y.z APIPA IPv4 address.

ITYM 169.254.0.0/16
Chris
From: Whiskers on 18 Apr 2008 08:44
On 2008-04-17, Geoffrey Clements <bitbucket(a)electron.me.uk> wrote:
> Nix wrote:
>
>> On 16 Apr 2008, tinnews(a)isbd.co.uk outgrape:
>>
>>> D.M. Procida <real-not-anti-spam-address(a)apple-juice.co.uk> wrote:
>>>> <tinnews(a)isbd.co.uk> wrote:
>>>>
>>>> > > What would you suggest as sensible security measures for desktop
>>>> > > Linux users, who won't be running such things as PHP websites or an
>>>> > > array of vulnerable services?
>>>> > >
>>>> > Security against what?
>>>>
>>>> Bad People, mainly.
>>>>
>>> Well secure the system physically against "bad people" for a start!
>>
>> This is a *university*. What are they going to do, station armed guards
>> around it with instructions to shoot approaching faculty, admin staff,
>> and students? (That should cover most categories.)
>>
>
> You forgot bad people :-)

A clipboard with a sign-in sheet and a pencil on a bit of string, should
take care of that sort of thing. Just put it somewhere near the main
entrance. If things get really tight, provide sticky labels for people to
write their names on and stick to their chests.

--
-- ^^^^^^^^^^
-- Whiskers
-- ~~~~~~~~~~
From: Theo Markettos on 18 Apr 2008 09:36
Bernard Peek <bap(a)shrdlu.com> wrote:
> It's not uncommon for sites that adopted the Internet early to have
> painted themselves into a corner. Decisions that were reasonable in 1980
> may now be irrevocable. They may want to change now but the problem is
> too big to be manageable. It might be fixable as part of a technology
> refresh but a site-wide refresh in one hit seems unlikely. Perhaps if
> they switch to IPv6 they will do it.

There's no particular reason for workstations not to be on public IP
addresses, apart from the general scarcity of IPv4 addresses. If the
firewall blocks all incoming connections then it's just the same as a NAT
router. The advantage is that some connections can be opened as and when
required - when you need to do multicast or videoconferencing or similar,
it's just a case of a firewall rule. When protocols are allowed not having
NAT can make them work much better (eg VOIP).

As for probing, they may do it themselves. It doesn't go too far to launch
nmap against every box on the network, and then filter based on the
interesting stuff.

Ask. There will probably be some technical staff doing this, whose
existence may not be apparent from the 'public face' of the IT organisation.
The firewall restrictions, for example, are unlikely to be in the public
domain.

Here's Cardiff central IT policies on Unix:
http://www.cardiff.ac.uk/insrv/it/software/unix/index.html
(your department may vary)

Theo
From: Nix on 18 Apr 2008 09:26
On 17 Apr 2008, Paul Martin uttered the following:

> In article <87fxtlmqgo.fsf(a)hades.wkstn.nix>,
> Nix wrote:
>
>> Um, when they switch to IPv6 they will definitely *not* move to private
>> IP addresses, because such abominations do not exist in IPv6, by design.
>
>> NAT is evil. Oppose it.
>
> Has the multihoming problem been fixed yet?

Not that I know of, but as long as you hand out coherent blocks to
people, that wouldn't be a problem, would it?

> Or has Moore's law made the
> size of routing tables irrelevant now?

I can't see how. Memory speeds are the problem here, and the memory/CPU
speed barrier is higher than ever :/

--
`The rest is a tale of post and counter-post.' --- Ian Rawlings
describes USENET
From: Nix on 18 Apr 2008 09:27
On 17 Apr 2008, Will Kemp verbalised:

> On Wed, 16 Apr 2008 22:37:11 +0100, Nix wrote:
>
>> NAT is evil. Oppose it.
>>
>> (Firewalls are, of course, not evil: more a necessity. But every system
>> on the Internet should be *addressable* by every other.)
>
> Why?

So that people can develop new protocols or run servers without having
to beg for permission.

--
`The rest is a tale of post and counter-post.' --- Ian Rawlings
describes USENET
First  |  Prev  | 
Pages: 1 2 3 4 5 6 7
Prev: Web site login problems
Next: Problem getting Server Side Includes SSI to work on Fedora 8.