Security Basics mailing list archives
Re: Cisco PIX fixup protocol command
From: Jamie Pratt <jamie () nucdc org>
Date: Wed, 11 Feb 2004 13:48:34 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The fixup means that it will add stateful connection tracking to the protocol/port you desire. This keeps the firewall from using more resources than necessary, and I would imagine speeds things up as well. ~ As far as SMTP goes, it's often recommended NOT to use it - Basically, commands like EHLO (instead of HELO, which MANY mail clients use instead) will not work, ESMTP breaks, etc, etc.. (At least on Qmail servers anyhow - not sure about the others - it also hides the SMTP banner with XXXX's, which is good of course, but at the expense of [possibly] losing email, depending on your mail server type.) As far as security implications of 'no fixup', I'm guessing the tcp-sequencing numbers would probably be easier to guess, which as most know, is a difficult way to hack a firewall anyhow... - personally, I would think it would be more secure, not less..? (I could be wrong.. comments?) the syntax of 'no fixup protocol service port', basically means to treat that port/service/protocol as non-stateful, meaning all the packets will have to traverse the ruleset, just adding overhead to the firewall in general. I may be wrong here, but I believe that is really all there is to it... there is a mailing list out there called fw-wiz, or 'firewall wizards', (not sure of the URL sorry) which is probably better able to answer this in more detail.. regards, jamie S.Rohit wrote: | hi everyone.... | | might sound like a very stupid question to ask, but i am looking for info | on wat is the use of fixup protocol commands on the Cisco PIX device. wat is | the exact usage and significance of this commands? and wat are the security | implications of this command? i know that some fixup's like say fixup protocol | smtp are good cos of the way they restrict the SMTP command set but how about | the general syntax [no] fixup protocol [service] [port]? what is this used for | and wat are the security implications for this? | | i am asking this because i'm seeing a recommendation in some PIX hardening | guide to disable fixups or they flag fixups as a security issue? y is tat? | | rohit | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAKnkAFnM/ewGVQ7IRAh+/AJ9YK21FgBto+d2wzVesZ6VMWOY/jQCeOJqb Bx71GObl/YaaYWHi829mz1w= =HfLd -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Cisco PIX fixup protocol command S . Rohit (Feb 11)
- Re: Cisco PIX fixup protocol command Jamie Pratt (Feb 12)
- Re: Cisco PIX fixup protocol command Brian Ford (Feb 12)
- RE: Cisco PIX fixup protocol command Joey Peloquin (Feb 13)
- Re: Cisco PIX fixup protocol command kawaii ryuko (Feb 12)
- Re: Cisco PIX fixup protocol command erisk (Feb 13)
- <Possible follow-ups>
- RE: Cisco PIX fixup protocol command Chris Curtiss (Feb 12)
- Re: Cisco PIX fixup protocol command James Turnbull (Feb 13)
- RE: Cisco PIX fixup protocol command d'Ambly, Jeff (Feb 12)
- RE: Cisco PIX fixup protocol command Stefan Greve (Feb 12)
- RE: Cisco PIX fixup protocol command Rosenhan, David (Feb 12)
- Re: Cisco PIX fixup protocol command Ivan Coric (Feb 13)
(Thread continues...)
- Re: Cisco PIX fixup protocol command Jamie Pratt (Feb 12)