Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Extreme Problem with PIX Config
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 20 May 2005 02:58:34 +0530
On 10/05/05 09:14 -0500, Brian Loe wrote:
<snip>

domain-name domain.com


If you are munging, please use example.com/example.net/domain.invalid


fixup protocol dns maximum-length 512

This breaks EDNS. You will have issues with this if you run a system
behind the pix checking DNSBLs. Run a decent caching DNS server
internally as a proxy.


fixup protocol ftp 21


Why allow this in the first place?


fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514


Again, why proxy something which you should not be allowing at all?


fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25

Unless you are defending MS Exchange, turn this off. This breaks ESMTP,
including the useful SMTP AUTH and TLS extensions. Actually, turn this
off anyway and put in Postfix or Exim behind this box to act as a ESMTP
proxy.


fixup protocol sqlnet 1521
fixup protocol tftp 69

Repeat proxy question.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]