If you can get it on IPv6, maybe via a gateway, port 23 filtering doesn't seem to be applied to IPv6 yet! (I assume because the v6 address space is too large to mass scan?)

▲

Suzuran 2 hours ago | parent [-]

If I am rewriting the network stack or making other substantial changes, that defeats the purpose of historical preservation.

▲

RupertSalt 2 hours ago | parent [-]

If moving it to another port from the OS is beyond the pale for you, your router should implement PAT (port translation) or forwarding, so that from the outside, users could connect on, say, 443 or 2323, and the router rewrites the segments to connect to your immutable port 23/tcp.

It makes no sense that IPv6 is treated differently than IPv4. If GNU telnetd is vulnerable and it's running on port 23/tcp, it will be found on IPv6. I would definitely not bind anything to listen on port 23 on any protocol, because I would expect it to become filtered shortly. Port 23 is permanently burned everywhere.

Conversely, a vintage PDP-10 telnetd is not affected by the CVE for GNU.

It is a classic rookie mistake to treat the two protocols differently, so if Tier-1 providers have done this, they must be overly optimistic, or foolish, or met with some technical obstacles, or perhaps OSI Layer 8?

	▲	Suzuran an hour ago \| parent [-]
		I meant rewriting it for IPv6 instead of IPv4.