Firewall Wizards mailing list archives
RE: pixen abnomalities;
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 21 Aug 2003 16:41:22 -0400
That's a new one on me. You can use 'service resetoutside' and/or 'service resetinbound' to cause the PIX to send an RST back to hosts sending TCP packets that are denied by an access-list (or just denied in general). I don't know if this would result in connections that exceed the idle time set with the 'timeout' command receiving an RST or not. I'd be interested to know how it behaves if anyone has tried this. PaulM
-----Original Message----- It's ben awhile since I played in a firewall admin role, and worked mostly with fw-1 ipchains/iptable kinda setups. But, in a new position as a unix/web admin, I'm dealing with firewall admins that maintain that not setting the pixies to send an rst upon idel timeout is a 'protection' in case the connection that went idle was hijacked. Course, this will hose up a console connetion for a good twenty minutes or more depending upon the configuration of the sytems I'm using a console on. But, is this really a concern and rationale for not sending an rst on idle timeout limits?
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- pixen abnomalities; R. DuFresne (Aug 19)
- <Possible follow-ups>
- RE: pixen abnomalities; Melson, Paul (Aug 26)
- RE: pixen abnomalities; Wes Noonan (Aug 26)