Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CERT vulnerability note VU# 539363

From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Wed, 16 Oct 2002 18:05:00 -0700
On 16 Oct 2002 at 17:00, Stephen Gill boldly uttered: 


In V4.0 the syntax has changed somewhat for the aforementioned command,
though the concept still applies...

set zone <zone> screen limit-session source-ip-based <threshold>

I've requested something like 

set zone <zone> screen limit-session dest-ip-based <threshold>

but I've not seen it in code yet.  If I'm not mistaken I believe CP has
added the ability to do both recently.

-- steve



OK, but the nice thing about the source-based rule is it's not very 
likely to drop legitimate traffic (unless you misconfigure it without 
any sense of your normal traffic profile), whereas a destination-
based rule could easily cause that problem, particularly for public 
servers.


On a slightly off-topic note - do you find ScreenOS stable?  I 
avoided it for stability reasons at a newly-deployed site but it 
would have been convenient to start off with it because when the time 
comes to upgrade it looks like I'll have to re-architect lots of the 
rules to adapt to its new syntax.


--
Philip J. Koenig                                       
pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New 
Millenium


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: