Re: Firewall question

From: Nobody (.@.)
Date: 03/14/03

• Next message: Joseph V. Morris: "Re: Port Filtering & Web Browsing"
• Previous message: Joseph V. Morris: "Re: Help with Norton Internet Security 2003 and IE Script Error"
• In reply to: al: "Re: Firewall question"
• Next in thread: Ric Griffy: "Re: Firewall question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Nobody" <.@.>
Date: Fri, 14 Mar 2003 13:46:35 -0500

So, basically, you want to disable all the fixup protocols that are in your
PIX configuration, and then use an access-list to block your internal LAN
from outbound access. Does that sound correct?

:block all the default pix pass-through protocols
no fixup protocol ftp 21
no fixup protocol http 80
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25

:block all incoming tcp or udp connections across all ports
conduit deny tcp any any
conduit deny udp any any
conduit deny icmp any any
:yes, i know that denying the icmp is redundant

:define the local host pool to be all addresses
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

:either do not create the global pool, or block it
no global (outside) 1

:end

use the show conn and show xlate to verify.

"al" <allen@somplace.com> wrote in message
news:ogpca.976$co6.58397965@newssvr15.news.prodigy.com...
> I know because PIX by default allows every devices from the inside network
> to go out.
> But we want to close down all ports going out first then allow whatever
> necessary traffic out based on our security policy.
> Thanks,
> Al
>
> "Nobody" <.@.> wrote in message
> news:Zapca.1934$945.5902@tor-nn1.netcom.ca...
> > I just setup a Cisco PIX 506e firewall. By default it allows smtp 25 to
> > pass-through without any issues. The only minor problem that I had was
> name
> > resolution for my external pop3 server. I solved it by changing the
server
> > name to it's IP address, that way I didn't have to go and open any
> conduits.
> >
> >
> > "al" <allen@somplace.com> wrote in message
> > news:_qnca.1901$Wi1.293@newssvr19.news.prodigy.com...
> > > Hi all,
> > > We will implement a PIX Firewall and we will start by blocking all
ports
> > > going in and out of the Firewall.
> > > We have an email server inside the firewall, tcp port 25 will be open
> > coming
> > > in to the email server to be able to receive email.
> > > The question is which ports do I need to allow going out from the
email
> > > server so we can send email out since all outgoing ports are currently
> > > blocked.
> > > Thanks,
> > > Al
> > >
> > >
> >
> >
>
>

---

• Next message: Joseph V. Morris: "Re: Port Filtering & Web Browsing"
• Previous message: Joseph V. Morris: "Re: Help with Norton Internet Security 2003 and IE Script Error"
• In reply to: al: "Re: Firewall question"
• Next in thread: Ric Griffy: "Re: Firewall question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)