firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: obscure email address formats (ArkanoiD)
2. Re: obscure email address formats (ArkanoiD)
3. Re: obscure email address formats (Jim Seymour)
4. Re: obscure email address formats (Magos?nyi ?rp?d)
5. CISCO ASA 7.0(8) - internal users cannot browse. (Rocker Feller)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2011 17:58:33 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] obscure email address formats
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110525135832.GA31126@eltex.net>
Content-Type: text/plain; charset=koi8-r
I am mostly think of:
quoted strings and escaped characters in local part,
source routing variants and bang paths,
and ipv4/ipv6 literals instead of domain
On Mon, May 23, 2011 at 03:18:31PM -0700, david@lang.hm wrote:
> what sort of obscure formats are you thinking of eliminating?
>
> there's good reason to allow mailbox+folder@fqdn for some people that's
> considered obscure, for others it's just less common.
>
> David Lang
>
> On Tue, 24 May 2011, ArkanoiD wrote:
>
> >Is there any good reason to allow email addresses (in smtp, imap and
> >alikes)
> >in any format different from mailbox@fqdn ?
> >
> >There is plenty of other stuff defined in RFCs and I wonder if anyone
> >really uses it so
> >I should *not* just filter it out.
> >
> >_______________________________________________
> >firewall-wizards mailing list
> >firewall-wizards@listserv.icsalabs.com
> >https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>
------------------------------
Message: 2
Date: Wed, 25 May 2011 17:59:30 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] obscure email address formats
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110525135930.GB31126@eltex.net>
Content-Type: text/plain; charset=koi8-r
Ah. That was one of the things I presumed to be long dead :-)
On Mon, May 23, 2011 at 06:32:36PM -0400, Carl Friedberg wrote:
> Outbound (if you are sending e-mail to an external server) there might be either of these formats:
>
> xtl.com:foobar@example.com
> foobar%example.com@xtl.com
>
> I use both of those formats with a mail forwarding service.
>
> Carl Friedberg
>
>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of ArkanoiD
> Sent: Monday, May 23, 2011 4:30 PM
> To: firewall-wizards@listserv.cybertrust.com
> Subject: [fw-wiz] obscure email address formats
>
> Is there any good reason to allow email addresses (in smtp, imap and alikes)
> in any format different from mailbox@fqdn ?
>
> There is plenty of other stuff defined in RFCs and I wonder if anyone really uses it so
> I should *not* just filter it out.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
------------------------------
Message: 3
Date: Tue, 24 May 2011 18:19:32 -0400
From: Jim Seymour <jseymour@LinxNet.com>
Subject: Re: [fw-wiz] obscure email address formats
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20110524181932.33dc0f45@jimsun>
Content-Type: text/plain; charset=US-ASCII
On Tue, 24 May 2011 00:30:24 +0400
ArkanoiD <ark@eltex.net> wrote:
> Is there any good reason to allow email addresses (in smtp, imap
> and alikes) in any format different from mailbox@fqdn ?
>
> There is plenty of other stuff defined in RFCs and I wonder if
> anyone really uses it so I should *not* just filter it out.
Couldn't say, for sure, but I've had this
/[!%\@].*\@/ 550 This server disallows weird address syntax.
PCRE regexp in every mail server I've deployed for (checks...) better
than a dozen years.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
------------------------------
Message: 4
Date: Tue, 24 May 2011 08:44:04 +0200
From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Subject: Re: [fw-wiz] obscure email address formats
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DDB53B4.3020805@magwas.rulez.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 2011-05-24 00:13, Carson Gaspar wrote:
>
> mailbox@fqdn isn't enough - you must at _least_ handle full names in
> the address etc. The quoting rules are byzantine, but really required
> as mail clients emit all sorts of stuff.
I believe normalization is the way to go about it.
The principle is "forward what you understood, not what have been sent".
------------------------------
Message: 5
Date: Wed, 25 May 2011 11:04:08 +0300
From: Rocker Feller <rocker.rockerfeller@gmail.com>
Subject: [fw-wiz] CISCO ASA 7.0(8) - internal users cannot browse.
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <BANLkTinnLQOiNGHs0f03xV9MqD38fwzhaQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I am a newbie and would like assistance on an asa.
I have a cisco asa factory default that i configured.
this is my configuration, thank you.
1. I cannot ping the gw ip when connected on console though from teh gw
which is a cisco router i can pick the asa mac address.
2. I have the two acls 101 and cmd icmp permit any outside which should
enable me to ping from any outside host to the outside interface of the asa
to no avail.
3. public ip and gw are public ips.
Q. Any assistance to get this working so that i can configure an ra vpn will
be appreciated.
SA Version 7.0(8)
!
domain-name ciscoasa.co.ke
names
dns-guard
!
interface Ethernet0/0
description Link to Service Provider
nameif outside
security-level 0
ip address publicip 255.255.255.252
!
interface Ethernet0/1
description Link to Local LAN
nameif inside
security-level 100
ip address 192.168.168.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list ANY extended permit ip any any
access-list ANY extended permit icmp any any echo-reply
access-list ANY extended permit icmp any any time-exceeded
access-list ANY extended permit icmp any any unreachable
access-list ANY extended permit icmp any any
access-list OUT extended permit icmp any any echo-reply
access-list OUT extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp permit any outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.168.0 255.255.255.0
access-group ANY in interface inside
route outside 0.0.0.0 0.0.0.0 gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:6f78bb9efb6b013ce7eb3cf8d77268ae
Rocker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110525/4bb485ef/attachment-0001.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 59, Issue 1
***********************************************
No comments:
Post a Comment