RE: [fw-wiz] pixen abnomalities;

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 08/21/03

  • Next message: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
    To: "\"R. DuFresne\" <dufresne@sysinfo.com>" <IMCEANOTES-+22R+2E+20DuFresne+22+20+3Cdufresne+40sysinfo+2Ecom+3E@sequoianet.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 21 Aug 2003 16:41:22 -0400
    
    

    That's a new one on me. You can use 'service resetoutside' and/or 'service resetinbound' to cause the PIX to send an RST back to hosts sending TCP packets that are denied by an access-list (or just denied in general). I don't know if this would result in connections that exceed the idle time set with the 'timeout' command receiving an RST or not. I'd be interested to know how it behaves if anyone has tried this.

    PaulM

    > -----Original Message-----
    > It's ben awhile since I played in a firewall admin role, and worked mostly
    > with fw-1 ipchains/iptable kinda setups. But, in a new position as a
    > unix/web admin, I'm dealing with firewall admins that maintain that not
    > setting the pixies to send an rst upon idel timeout is a 'protection' in
    > case the connection that went idle was hijacked. Course, this will hose
    > up a console connetion for a good twenty minutes or more depending upon
    > the configuration of the sytems I'm using a console on. But, is this
    > really a concern and rationale for not sending an rst on idle timeout
    > limits?
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"