> -----Original Message-----
> From: Gary Maltzen [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 29 August 2000 9:15 AM
> To: [EMAIL PROTECTED]
> Cc: Firewalls List
> Subject: Re: Cisco IOS Firewall
>
>
> What you are talking about is the
> "T"-suffixed
> version of IOS which includes CBAC (Context-Based Access
> Control).
The 'T' train doesn't include CBAC, unless something really drastic has
changed. You need to actually purchase the IOS/Firewall feature set, or one
of the encryption images that supports FW. You can get plain ol' IP in the
'T' train for nothing - it would be great if it did have CBAC. *sigh*
> It has
> improvements on regular access-based lists, but it is not a
> firewall in the
> sense of FW-1.
What, you mean it actually keeps some traffic out? ;)
>
> Since we have it on our router, I use CBAC (together with
> reflexive access
> lists) as a first line of defense. I already have an issue
> open with Cisco
> though because CBAC-SMTP does not support ESMTP (causing many Solaris
> sendmail systems to fail to deliver inbound messages).
I would imagine that you'll get this answer: Don't inspect smtp. Just
inspect TCP and allow port 25 traffic in your access-lists. What do you
lose? Control-channel inspection for incoming email? Feh. Email problems are
all virii and worms these days and CBAC won't do a thing about _them_. My
personal opinion on that, BTW, is that anything that aborts when it can't
use ESMTP is _really_ busted. Are you _sure_ it's not a DNS matching or
ident bug in disguise?
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
