Re: [fw-wiz] Extreme Problem with PIX Config

From: Devdas Bhagat (
Date: 05/19/05

  • Next message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
    Date: Fri, 20 May 2005 02:58:34 +0530

    On 10/05/05 09:14 -0500, Brian Loe wrote:
    > domain-name

    If you are munging, please use

    > fixup protocol dns maximum-length 512
    This breaks EDNS. You will have issues with this if you run a system
    behind the pix checking DNSBLs. Run a decent caching DNS server
    internally as a proxy.

    > fixup protocol ftp 21

    Why allow this in the first place?

    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol icmp error
    > fixup protocol rsh 514

    Again, why proxy something which you should not be allowing at all?

    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    Unless you are defending MS Exchange, turn this off. This breaks ESMTP,
    including the useful SMTP AUTH and TLS extensions. Actually, turn this
    off anyway and put in Postfix or Exim behind this box to act as a ESMTP

    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    Repeat proxy question.

    Devdas Bhagat
    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."