Re: [fw-wiz] Extreme Problem with PIX Config
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 05/19/05
- Previous message: Devdas Bhagat: "Re: [fw-wiz] A fun smackdown..."
- In reply to: Brian Loe: "[fw-wiz] Extreme Problem with PIX Config"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 20 May 2005 02:58:34 +0530
On 10/05/05 09:14 -0500, Brian Loe wrote:
<snip>
> domain-name domain.com
If you are munging, please use example.com/example.net/domain.invalid
> fixup protocol dns maximum-length 512
This breaks EDNS. You will have issues with this if you run a system
behind the pix checking DNSBLs. Run a decent caching DNS server
internally as a proxy.
> fixup protocol ftp 21
Why allow this in the first place?
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol icmp error
> fixup protocol rsh 514
Again, why proxy something which you should not be allowing at all?
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
Unless you are defending MS Exchange, turn this off. This breaks ESMTP,
including the useful SMTP AUTH and TLS extensions. Actually, turn this
off anyway and put in Postfix or Exim behind this box to act as a ESMTP
proxy.
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
Repeat proxy question.
Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Devdas Bhagat: "Re: [fw-wiz] A fun smackdown..."
- In reply to: Brian Loe: "[fw-wiz] Extreme Problem with PIX Config"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
