RE: pixen abnomalities;

["Melson, Paul" <PMelson () sequoianet com>]

That's a new one on me.  You can use 'service resetoutside' and/or 'service resetinbound' to cause the PIX to send an 
RST back to hosts sending TCP packets that are denied by an access-list (or just denied in general).  I don't know if 
this would result in connections that exceed the idle time set with the 'timeout' command receiving an RST or not.  I'd 
be interested to know how it behaves if anyone has tried this.

PaulM


>  -----Original Message-----
> It's ben awhile since I played in a firewall admin role, and worked mostly
> with fw-1 ipchains/iptable kinda setups.  But, in a new position as a
> unix/web admin, I'm dealing with firewall admins that maintain that not
> setting the pixies to send an rst upon idel timeout is a 'protection' in
> case the connection that went idle was hijacked.  Course, this will hose
> up a console connetion for a good twenty minutes or more depending upon
> the configuration of the sytems I'm using a console on.  But, is this
> really a concern and rationale for not sending an rst on idle timeout
> limits?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards