RE: [fw-wiz] pixen abnomalities;
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
To: "'Melson, Paul'" <PMelson@sequoianet.com>, "'\"R. DuFresne\" <firstname.lastname@example.org>'" <IMCEANOTES-+22R+2E+20DuFresne+22+20+3Cdufresne+40sysinfo+2Ecom+3E@sequoianet.com>, <email@example.com> Date: Tue, 26 Aug 2003 16:19:45 -0500
New one to me too. Sounds like a bogus position they have to me. I'd
love to hear of an actually exploit along the lines of what they seem to
be worried about.
> -----Original Message-----
> From: firstname.lastname@example.org
> email@example.com] On Behalf Of Melson, Paul
> Sent: Thursday, August 21, 2003 15:41
> To: "R. DuFresne" <firstname.lastname@example.org>; firewall-
> Subject: RE: [fw-wiz] pixen abnomalities;
> That's a new one on me. You can use 'service resetoutside' and/or
> 'service resetinbound' to cause the PIX to send an RST back to hosts
> sending TCP packets that are denied by an access-list (or just denied
> general). I don't know if this would result in connections that
> the idle time set with the 'timeout' command receiving an RST or not.
> be interested to know how it behaves if anyone has tried this.
> > -----Original Message-----
> > It's ben awhile since I played in a firewall admin role, and worked
> > with fw-1 ipchains/iptable kinda setups. But, in a new position as
> > unix/web admin, I'm dealing with firewall admins that maintain that
> > setting the pixies to send an rst upon idel timeout is a
> > case the connection that went idle was hijacked. Course, this will
> > up a console connetion for a good twenty minutes or more depending
> > the configuration of the sytems I'm using a console on. But, is
> > really a concern and rationale for not sending an rst on idle
> > limits?
> firewall-wizards mailing list
firewall-wizards mailing list