PIX FW

[Anghang]

Is every service blocked by default unless explicitly stated otherwise in the configuration?

For example, if there?s no statement about ?finger? or "telnet" at all in the configuration, does this mean that it?s not being allowed through?

What about proxy-arps? I read somewhere that you would need to specify "noproxyarp ifname" How would this appear in the configuration, would it not being there mean that it's not being allowed?

version 6.3 btw, duno if that would make a difference or not

 

[ScottMac]

By default, everything outbound is allowed, everything inbound (originating from the outside, but not as the result of a request from the inside) is blocked.

I believe the only exception is "echo reply" is / may be allowed in by default to allow PINGs to work.

Specific outbound traffic may need a "Fixup" to handle the way the outside resource will respond and adjust the inbound dynamic ACL.

FWIW

Scott

 

[Anghang]

so unlike a router where I would have to explicitly specify the following:

no telnet
session timeout setting value
no proxy-arps
no finger
no specific banners (version, etc) <-- though this wouldn't be explicitly noted, just not found in the config

with PIX by default, none of those are allowed through from the outside unless it's a result of a request coming from inside?

 

[Cooky]

Yes, nothing gets from outside to inside unless specified, or the connection is initiated by inside host.

Sometimes even connections initiated by inside are blocked because additional ports are opened or needed (like ports 20/21 w/ FTP). In this case you need a "fixup" statement to allow such connections.

I found this book very helpful. You can consider picking up a copy just for reference.

 

[Anghang]

Originally posted by: Cooky
I found this book very helpful. You can consider picking up a copy just for reference.

Thanks for the insight 🙂

I also noticed that the customer review for that book is also the same customer review on Amazon.com

 

[Anghang]

ok, been doing some reading, and just so i'm understanding this correctly, if i wanted to say allow "finger" through the firewall, i would have to specify the following in the configuration:

fixup protocol finger 79

yes?

 

[Rogue]

No, fixup is just a way of adapting certain variations in certain vendors and enforcing proper command sequence structure in certain protocols. For example, Exchange server (at least 5.5) uses a different SMTP command type (EHLO instead of HELO) when initiating a connection. Fixup adapts to those variations. To permit finger into your network from the outside you would create an ACL similar to the following:

access-list INBOUND extended permit tcp any any eq 79
access-list INBOUND extended deny ip any any

You would then apply the INBOUND ACL to the outside interface of the firewall. In effect, the above ACL will permit any IP address from the outside to access any IP address inside your network on TCP port 79 (finger).

 

[Rookie]

Originally posted by: Rogue
No, fixup is just a way of adapting certain variations in certain vendors and enforcing proper command sequence structure in certain protocols. For example, Exchange server (at least 5.5) uses a different SMTP command type (EHLO instead of HELO) when initiating a connection. Fixup adapts to those variations. To permit finger into your network from the outside you would create an ACL similar to the following:

access-list INBOUND extended permit tcp any any eq 79
access-list INBOUND extended deny ip any any

You would then apply the INBOUND ACL to the outside interface of the firewall. In effect, the above ACL will permit any IP address from the outside to access any IP address inside your network on TCP port 79 (finger).

QFT