Re: IOS 12.3(x) Strange service ports open on router

[Yann Berthier <yb () sainte-barbe org>]

On Fri, 09 Apr 2004, Iljitsch van Beijnum wrote:

> On 9-apr-04, at 22:27, Pekka Savola wrote:
>
> > Another pet peeve of roughly the same category: when you enable IPv6,
> > telnet is automatically open to the world (using v6), even if you have
> > disabled v4 telnet with an access-list.
>
> > The vendor refused to believe this is a problem,
>
> Whether or not this is a problem is in the eye of the beholder, but 
> from what I've seen, this is standard practice with any kind of packet 
> filter. As far as I know, only hosts.allow-style tcp wrapping is 
> agnostic about the IP version.
>
> If you want to run a new protocol, you have to configure filters for it 
> unless you want to go through life unfiltered. That's the way things 
> work.
>
> It's even worse with FreeBSD: if you firewall it to the teeth in v4 and 
> disable v6 in the rc.conf, it will still run v6 with link-local 
> addresses and allow access to the services that are filtered in v4.

   Bad FreeBSD, no cookie for FreeBSD :) But if you don't need IPv6,
   remove INET6 from your kernel config file, rc.conf is not the right
   place to do it either.

      - yann