Re: Default configuration in WatchGuard Firewall

[Matt.Bruce () ALPHAWEST COM AU (Matt Bruce)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I concur with the Watchguard Rapid Response Team's findings, based
upon my experience with Firebox-II installations.

Each Firebox-II with SMS 3.3 (with and without SP1) that I have done
has had ping Disabled on Inbound (denied/logged) and Enabled on
Outbound (any-to-any) by default. While there may be a (somewhat
subjective or contentious) issue about allowing everyone outbound
pinging by default, it certainly didn't allow any ping traffic from
the External to the Trusted networks unless I explictly allowed it.

I can't speak for FB-10/-100 boxes or versions of SMS prior to 3.3,
however.

HTH and regards,

- --
Matt Bruce  <matt.bruce () alphawest com au>
Internet & Security Engineer
AlphaWest - http://www.alphawest.com.au/

> -----Original Message-----
> From: Steve Fallin [mailto:steve.fallin () WATCHGUARD COM]
> Sent: Tuesday, 14 September 1999 4:37 am
>
> The poster, Sr. Alfonso Lazaro stated that, by default, the
> WatchGuard Firebox allowed ping traffic from any interface to
> any interface...
> In the absence of any further information from Sr. Lazaro,
> we believe that his report of a vulnerability in Firebox
> default configuration files is in error.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
Comment: Get my public key from ldap://certserver.pgp.com

iQA/AwUBN96ukxmtSClHdI5CEQJOYACfT00ME4V+Mw/VfVTSt+PXqXHP5UUAoMVZ
6qsxAWTtzEh3dWWeNQYdn/0h
=qJcF
-----END PGP SIGNATURE-----