Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: POP3 and SMTP slow on Linux since we installed a PIX

From: Mike Barkett <mbarkett () digex net>
Date: Mon, 16 Aug 1999 11:01:43 -0400 (EDT)
Eric Vyncke wrote :

Dave,

Most of the time, the problem is linked because recent sendmails are, by default,
triggering an IDENT connection to the source of the SMTP session. PIX is
blocking IDENT by default without sending an ICMP message back to the source
(which is a secure behaviour in my biased experience)

You may want to either authorize IDENT through the PIX (bad!) or have the PIX
sends the ICMP message (via a sysopt configuration command).

Hope this helps



Utilize the 'service resetinbound' command and verify DNS is allowed through, and
you should be fine.

The following excerpt is from:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42cmd.htm

"The service resetinbound command provides a safer way to handle an IDENT connection through the PIX Firewall. Ranked 
in order of
security from most secure to less secure are these methods for handling IDENT connections:

     1. Use the service resetinbound command.

     2. Use the established command with the permitto tcp 113 options.

     3. Create a static and conduit to open TCP port 113."


-MAB

-- 
 ,.........................................
:   Michael A. Barkett
:  Security Analyst/Team Lead, SMC (xXXXX)
: mbarkett () digex net  
:  301.847.7180       ,....................
:   FW./\/.          : i n t e r m e d i a
'....................'   BUSINESS INTERNET
Previous By Date Next
Previous By Thread Next

Current thread: