Security Basics mailing list archives
RE: Cisco PIX fixup protocol command
From: "Christopher Black" <cblack () cc3 com>
Date: Fri, 13 Feb 2004 08:27:44 -0500
The fixup commands in a PIX are designed to allow a higher level of control to the ports that are opened for traffic. Take the SMTP Fixup for example. Normal ALC rules for e-mail would allow port 25, This is an OSI layer 4 firewall rule. You define the src, dst and the port. The fixup protocol takes this a step further and only allow the basic 7 commands for SMTP traffic to be sent over port 25, thus working at the higher levels of the OSI model. So they are not short cuts. A short cut would be to add a rule such as: A list of the commands that the fixup allows can be viewed at Cisco's web site. Access-list acl-in permit tcp any any eq 25 Hope that helps Chris
-----Original Message----- From: kawaii ryuko [mailto:trunks () stackers org] Sent: Wednesday, February 11, 2004 1:23 PM To: security-basics () securityfocus com Subject: Re: Cisco PIX fixup protocol command From: "S.Rohit" <s.rohit () usa net> Sent: Wednesday, February 11, 2004 05:52hi everyone.... might sound like a very stupid question to ask, but i amlooking for infoon wat is the use of fixup protocol commands on the CiscoPIX device. wat isthe exact usage and significance of this commands? and wat are thesecurityimplications of this command? i know that some fixup's likesay fixup protocolsmtp are good cos of the way they restrict the SMTP commandset but how aboutthe general syntax [no] fixup protocol [service] [port]?what is this used forand wat are the security implications for this?Good firewall policy means you know /exactly/ what ports are open and what you are allowing through. Unless you are using a specific fixup service, it is best to turn them off. Personally, I like to turn off all fixup protocols and then open up ports as need be. The fixup series of commands are basically shortcuts that let you open up a service without having to go through all the individual ports (if I understand it correctly.)rohitEver lovable and always scrappy, kawaii -------------------------------------------------------------- ------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- RE: Cisco PIX fixup protocol command, (continued)
- RE: Cisco PIX fixup protocol command Joey Peloquin (Feb 13)
- Re: Cisco PIX fixup protocol command kawaii ryuko (Feb 12)
- Re: Cisco PIX fixup protocol command erisk (Feb 13)
- RE: Cisco PIX fixup protocol command Chris Curtiss (Feb 12)
- Re: Cisco PIX fixup protocol command James Turnbull (Feb 13)
- RE: Cisco PIX fixup protocol command d'Ambly, Jeff (Feb 12)
- RE: Cisco PIX fixup protocol command Stefan Greve (Feb 12)
- RE: Cisco PIX fixup protocol command Rosenhan, David (Feb 12)
- Re: Cisco PIX fixup protocol command Ivan Coric (Feb 13)
- Re: Cisco PIX fixup protocol command erisk (Feb 13)
- RE: Cisco PIX fixup protocol command Christopher Black (Feb 13)