Firewall Wizards mailing list archives
Re: Extreme Problem with PIX Config
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 20 May 2005 02:58:34 +0530
On 10/05/05 09:14 -0500, Brian Loe wrote: <snip>
domain-name domain.com
If you are munging, please use example.com/example.net/domain.invalid
fixup protocol dns maximum-length 512
This breaks EDNS. You will have issues with this if you run a system behind the pix checking DNSBLs. Run a decent caching DNS server internally as a proxy.
fixup protocol ftp 21
Why allow this in the first place?
fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol rsh 514
Again, why proxy something which you should not be allowing at all?
fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25
Unless you are defending MS Exchange, turn this off. This breaks ESMTP, including the useful SMTP AUTH and TLS extensions. Actually, turn this off anyway and put in Postfix or Exim behind this box to act as a ESMTP proxy.
fixup protocol sqlnet 1521 fixup protocol tftp 69
Repeat proxy question. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Extreme Problem with PIX Config Brian Loe (May 13)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)
- RE: Extreme Problem with PIX Config Brian Loe (May 15)
- RE: Extreme Problem with PIX Config Ben Nagy (May 15)
- Re: Extreme Problem with PIX Config Devdas Bhagat (May 19)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)