mailing list archives
Re: Firewall-1 Security Advisory
From: youngk () TTC COM (Keith Young)
Date: Thu, 29 Oct 1998 11:11:30 -0500
And don't forget that if you have 3.0B patch level 3064 or above, ports
18181, 18182, 18183, and 18184
are also open for OPSEC. This is *on* by default. However, unlike the other
ports, you must allow
access to these ports in your rulebase.
The ports can be turned off by editing your $fw-1_src_dir/conf/fwopsec.conf
--Keith Young / Avenger
-youngk () ttc com
And what about the default of the ports 256, 257, 258 and 259 appearing on
every interface? A little concerning, since they are not listed in the
table of ports in the main manual. Even more concerning when I'm told
they are for secure remote support, logging and configuration control!
This obscurity makes one rather nervous.
On Tue, 27 Oct 1998, David S. Goldberg wrote:
So the closest thing to a warning, comes not in the manuals that
come with the software - but you have to pay to go on a course for
this info. I may be wrong about this - if you know of any other
place where this is documented please let me know.
The "Managing Firewall-1 Using the Windows GUI" book that comes with
the firewall (both in hardcopy and pdf on the CD) covers this in
Chapter 8. In Chapter 9 (page 170 in my copy) they list in order the
bits a packet is matched against.
Unfortunately, this documentation is insufficient. They don't give
any advice as to the implications of doing DNS and ICMP before the
rule base. In spite of what they might consider a complete
description of how it work, it's easy to miss the security implication
of their default settings, especially when they declare some things
essential, making it seem to the administrator that she'd better leave
the services wide open rather than handle them explicitly in the
Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
Email: dsg () mitre org
- Re: Firewall-1 Security Advisory, (continued)