Penetration Testing mailing list archives

Re: firewall question

From: Rzac` <bugtrack () mail ru>
Date: Thu, 14 Feb 2002 21:11:46 +0100

Hi there,

On 14/Feb/2002, leon wrote:
l> (...)
l> So to reiterate; is there a way to configure pix or checkpoint to
l> judge the connection based on protocol as opposed to arbitrary
l> things like source ip, destination IP or port numbers?
l> (...)

I'm no Pix or Firewall-1 expert, but I do not think you could readily
setup that kind of filtering in them.

As a work around, I suggest to add a proxy server to your network and
configure your firewall to reject outgoing connections coming from
boxes other than the proxy server.  I did that kind of setup with
OpenBSD and squid at a small business -- it worked like a charm. :)

Also, relying on a proxy server eases enforcement of your site's
Internet access policy (i.e. disallowing *.mp3, *.mpeg, *.exe, etc.)
It does not offer as many possibilities as a dedicated Internet
filtering solution (i.e. Websense), but it is still better than
nothing!

Setting up the proxy server as transparent avoided me to define proxy
server settings in any of my client's Internet browsers.

Regards,
Rzac`.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

firewall question leon (Feb 14)
- Re: firewall question Rzac` (Feb 14)
- Re: firewall question Michael Starr (Feb 14)
- Re: firewall question John Adams (Feb 14)
- Re: firewall question dr . kaos (Feb 14)
- RE: firewall question Panos Dimitriou (Feb 15)
- <Possible follow-ups>
- Re: firewall question Dario N. Ciccarone (Feb 14)
- RE: firewall question Matt Peterson (Feb 15)
- Re: firewall question dr . kaos (Feb 15)