Hello all,
I try to configure a PIX515, which has 2 interfaces.
My problem is, that I cannot start any communication from the outside through the
firewall.
Outbound connections are no problem.
These are some of the syslog messages:
%PIX-6-305002: Translation built for gaddr 192.168.0.253 to
Title: RE: Checkpoint log forwarding.
I have
cracked it, here is the solution.
First
thanks to Lance Spitzner's excellent site here http://www.enteract.com/~lspitz,
helped me immensely with the script side of things, also the service
logic.
Firstly modify the User defined rule to run your
Hello all,
sorry, I forgot to mention the subject, so I send this mail a second time.
I try to configure a PIX515, which has 2 interfaces.
My problem is, that I cannot start any communication from the outside through the
firewall.
Outbound connections are no problem.
These are some of the
Title: Borderware IPSec Client
Hi guys
I'm having problems with the Borderware IPSec Client.
If I connect trough my cable provider at home, I can connect.
At work it doesn't work, although the firewall allows my PC to connect.
The fw is configured to allow IP protocol 50, IP protocol 51 and
I suspect the access-list, the intranet ip is 192.168.1.0/24 , but you had given
permission for 192.168.0.0/24 network.
access-list 120 permit icmp any 192.168.0.0
255.255.255.0 echo-reply---so this will allow icmp traffic from any to 192.168.0.0/24
and not to intranet.so try changing that
Thanks for your hint Mohamed, but I think there is a misunderstanding.
Outbound ping works. It reaches the Intranet because of the nat and global commands.
I only added the ICMP lines to show, that the acls kind of work.
But they do not work with tcp and udp.
So I guess the problem are not the
Dear Members of the list!
As Mr Du Fresne gives the most recent evidence that MS ISA might NOT be
as secure as one might think (referring to the released patches),
I feel much more comfortable with my ip_chains FW @ home then behind
the ISA @ my customers site ;-)
I DO understand what linux does
Hi,
I would like to know what do you think about Gauntlet Firewall and NAI security
products in general! Should I recomend those for my clients or is better to use
some other products ?
Thanks in advance,
Daniel
___
Firewalls mailing list
[EMAIL
Quick question...
I need to block certain IP's from our systems. Should I do that on our PIX's
or on our 7206's? Can you give me a sample of the code that represents the best
method?
Thanks...Michael
Hello all,
We have managed to log PIX information
into a file, but whats the best software to use to read and analyse this
information. Its too much and we can't find anyway to properly read and generate
reports out of it !!
HELP !! :-)
---Kais Al-Essa, Operations Technical
Services
Hello all,
We have a scenario where on the DMZ we
have an IIS Server hosting the main web site. In the internal LAN, we have a
farm of database servers.
We are developing web-based applications
that pull and display to authorized visitors (from the IIS Server on the DMZ)
some information
Hi:
I need to analyze my network utilization, i need to know what is the
traffic in my LAN, i have a Microsoft LAN (WinnT, Win9x) annyone know what
tools i can use?
Thanks!
_
Descargue GRATUITAMENTE MSN Explorer en
You might look at Commview (www.tamos.com). Somebody sent me an eval
package a few weeks ago. I liked it and bought it!
HTH
Harry
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of d d
Sent: Tuesday, September 18, 2001 8:35 AM
To: [EMAIL PROTECTED]
You could try
this:
http://cs.calvin.edu/~mpost89/pixlog/
I looked at it
once and it is reasonable, but as the V1.0 indicate needs some more features /
functionality to be of major use.
Luke Butcher Em: [EMAIL PROTECTED]
-Original Message-From: Kais Al-Essa
[mailto:[EMAIL
On Tue, 18 Sep 2001, d d spewed into the ether:
I need to analyze my network utilization, i need to know what is the
traffic in my LAN, i have a Microsoft LAN (WinnT, Win9x) annyone know what
tools i can use?
Offhand, I can think of windump, snort-win32.
Add a Linux box and you have ntop and
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
posted below Has a new toy been unleshed, or is this an old toy we have
-- Forwarded message --
Date: Tue, 18 Sep 2001 16:42:51 +0100
From: Joao Gouveia [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: New concept virus/worm?
( sorry for the cross-post, this might have interest for both lists )
Hello all,
Today i've received
Another nice fit for MRTG. http://www.mrtg.org
On Tue, 18 Sep 2001, d d wrote:
Hi:
I need to analyze my network utilization, i need to know what is the
traffic in my LAN, i have a Microsoft LAN (WinnT, Win9x) annyone know what
tools i can use?
Thanks!
Don't know if this is related, may be. The company which hosts our site has
a file readme.eml which got stuck on it's box. If you hit our URL, it asks
if you would like to save or open a file readme.exe, I have a copy of the
readme.exe currently if anyone would like to break it down. One of my
le Tue, Sep 18, 2001 at 10:50:40AM -0500, Ron DuFresne écrivit
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
I haven't been able to get a copy of the worm yet, but
it scans IIS machines for vulnerabilities able to run
cmd.exe?\dir+c, then if that works, sends an attempt
to run tftp back to itself and grab Admin.dll, then
run it.
Here are some logs:
Tue Sep 18 09:43:13 2001: 38.214.180.8 - x.x.1.29:
hmm;
according to Ron sayed:
[Tue Sep 18 18:26:48 2001] [error] [client 193.251.71.157] File does not exist:
/home/httpd/html/scripts/root.exe
i've destroyed a 17k mail from my system check.and I see that I have a 12K
file, a 15KB ... the first seems to be at 01:16 CEST time.
It was maybee a
Title: RE: something new afoot, sweeping scans:
Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II/III, in that most hits are coming from similar class B and C networks.
Not sure of payload though as we're protected.
Regards,
Luke Butcher
Hi All,
Here I am ; still suffering with my Nokia's .. I have one
FW-1 (Nokia IP440) on-line so far, and one that I wish to install as
backup.
Ordering was done by another dept. (my excuse !) so I have only now
discovered that we have only one certificate key. !.
As I
On Tue, 18 Sep 2001, Luke Butcher wrote:
Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II/III, in that most hits are coming
from similar class B and C networks.
its a huge shitstorm here. shuttig us down all morning as our firewall
Hi folks,
Ron DuFresne wrote:
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
posted below Has a new toy been
has anyone seen a payload like this one?
I have been scanned by 59 seperate hosts and they all hit 76 diferent urls
unfortunately every 404 on the server triggers an email.
this is cut down from the 76 distinct
all the tftp calls were requesting admin.dll from the host that performed the
Thought this might be useful to members of this list. This probably
explains what we are all seeing.
John J. Steniger
-Original Message-
From: Tom Sevy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:17 PM
To: Snort-Users eMail List ([EMAIL PROTECTED])
Subject:
Title: RE: something new afoot, sweeping scans:
my Pix
is filtering out tons of SYN connections to port 80 from several subs domains on
209.x.x.x
This
part of it? I am assuming so.
...
Dean
everyone has
-Original Message-
From: Stu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:49 AM
To: Jose Nazario
Cc: Luke Butcher; [EMAIL PROTECTED]
Subject: Re: something new afoot, sweeping scans:
has anyone seen a payload like this one?
I have been scanned by 59
Try this on for size - from another list. Looks like the culprit.
Lee
- Forwarded by Lee C Herbst/Marion County Property Appraiser on
09/18/01 01:31 PM -
Michael Balasko [EMAIL PROTECTED]
Sent by: Windows NT/2000 Discussion List [EMAIL PROTECTED]
09/18/01 12:11 PM
Please respond
On Tue, 18 Sep 2001, Josh Welch wrote:
Hi !
I doubt it new ... My servers are flooded with this since this afternoon
(about 15:30 GMT+1).
Could you send me the suspicious .exe ? I'd like to dismantle it ...
Bye
Bgs
___
Firewalls mailing list
Ron DuFresne wrote:
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
posted below Has a new toy been unleshed, or
new worm. I am in brazil and it is attacking our lan intensively. It was received from
somewhere, and is getting fresh addr from (oh, surprise) the outlook addressbook,
disseminating itself.
It multiplies in the client-machine, also in any shared resource INCLUDING SAMBA (ours
is hosted in
We got affected. ANybosy has released a signature?
--- John Steniger [EMAIL PROTECTED] wrote:
Thought this might be useful to members of this
list. This probably
explains what we are all seeing.
John J. Steniger
-Original Message-
From: Tom Sevy [mailto:[EMAIL
Hi !
It may be a coincidence but the attacks I recieve are not cotinuous...
I see gaps with no Nimda traffic at all, the the wave hits again.
Bye
Bgs
___
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
I wrote this signatures:
alert tcp any 110 - any any (msg:Virus - Possible Nimda Worm; content:
readme.exe; nocase; sid:12345; rev:1;)
alert tcp any 80 - any any (msg:WEB-MISC - Possible Nimda Worm; content:
readme.exe; nocase; sid:12346; rev:1;)
I'm testing now.
Luis Enrique Londono
-
On Tue, 18 Sep 2001, ? wrote:
I wrote this signatures:
alert tcp any 110 - any any (msg:Virus - Possible Nimda Worm; content:
readme.exe; nocase; sid:12345; rev:1;)
alert tcp any 80 - any any (msg:WEB-MISC - Possible Nimda Worm; content:
readme.exe; nocase; sid:12346; rev:1;)
If you can
Hey,
We want to connect Home Offices with more than one
PC to our Local Network using IPSec VPNs. All our home offices have or a (A)DSL
or a Cable Modem connection. Those Internet connection for our home offices
receive one official IP dynamically. This means those addresses can change
Hello Guys.. can anyone tell me.. what (if any) difference is there between
the code blue and nimda are? Or are they indeed one in the same?
Thanks much for your help.
Kelly Williams
At 11:57 AM 9/18/01 -0700, [EMAIL PROTECTED] wrote:
new worm. I am in brazil and it is attacking our lan
Hi,
this one isn't new stuff, see below
http://archives.neohapsis.com/archives/snort/2001-05/0215.html
Paul
-Original Message-
From: Frank Neumann [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:27 AM
To: Ron DuFresne
Cc: [EMAIL PROTECTED]
Subject:Re:
Have something strange here as well. Infected an NT4 workstation/IIS4.
Uses TFTP.EXE for outward scans and placed 1k of empty files in /scripts.
Russ Goulding
Systems Administrator
Quick Delivery Service, Inc.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
It may be because of the type of ipsec connection you
are using. I'm going to assume you are using NAT with
the FW at work. I think you need to see if you are
using AH (i think proto 51) AH doesn't like NAT (don't
quote me on this:) ) i think because it takes a md5
checksum of the packet. So
Well i think i has to do with you static line. your
global address is 192.168.0.253, so your connections
should be hitting that address, which the pix will
xlate to 192.168.1.1.
In your examples you are not sending icmp, you are
sending udp, and you are pointing it to 192.168.1.1.
So ether
safieradam wrote:
Ben makes good points about centralized management.
At some point you don't want to be uploading ACL's to 70+ boxes one at a
time. A script might do it but that brings up the issue of passwords. Are
you managing in the clear or turning on and supporting SSH?
We are
Ben Nagy wrote:
[..]
What about policy management for all 70 sites from a single console? Can the
PIX do that effectively yet? I've heard mumble about an Enterprise Manager
of some description for PIX / Router ACLs, but I honestly have no idea
whether or not it's vapour.
It would seem
Bill McGee wrote:
BTW, The Cisco Secure Policy Manager will allow you to manage up to 500
PIX firewalls from a single GUI management interface, as well as VPNs,
IDS, and more. Not sure why people keep harping on the one-at-a-time
management issue for the PIX, as we've had this covered for
Gordon,
Here are my views on this subject
..snip..
As I understand it ( and I am more than happy to be corrected on
this one !
) this means I can only use one IP address for both boxes.
This in turn means I really need to set them up as a gateway
cluster and
Hi.
I'm Anthony
I'm new in securing network with firewall
anybody can pointing me , where can i learn first?
thx
-anthony l-
-Original Message-
From: bob bobing [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 10:55 AM
To: Ben Nagy; 'Sven Jansen'
Cc: [EMAIL PROTECTED]
get the book of Oreilly called
Building Internet Firewalls, Second Edition
Great intro about how firewalls work and how
they must be set up...
Regards,
Brenno
-Original Message-
From: Anthony Liberty [SMTP:[EMAIL PROTECTED]]
Sent: woensdag 19 september 2001 7:19
To: '[EMAIL
Got this from Peter Kruse who pointed me to http://www.norman.no/ - thanks!
The worm W32/Nimda.A@mm is spreading very
fast. It may arrive as an email with the following charteristics:
Subject: None
Body: None
Attachment name: README.EXE
This worm may enter a computer in several ways -
Got this from Peter Kruse who pointed me to http://www.norman.no/
- thanks!
The worm W32/Nimda.A@mm is spreading very
fast. It may arrive as an email with the following charteristics:
Subject: None
Body: None
Attachment name: README.EXE
This worm may enter a computer in several ways -
52 matches
Mail list logo