Don...
..snip..
1.0 From a security viewpoint would stateful failover of firewalls
be a plus or minus.
..snip..
Checkpoint firewalls do state synchronisation between the firewall cluster
nodes.
If one of the cluster members goes down then the other firewall(s) take over
the
Hiya all
Since I implemented User Auth for browsing, the FQDN addresses are being
changed to the
Sites IP addresses.
However, when my users retype the address, it's fine.
How do I solve this problem of retaining the FQDN on first attempt?
I have a squid proxy which they connect to before the
Check your logs for any info as to why this would be happening, also check
the security level and NAT statement on your interfaces.
I have a similar thing that I have been battling with. I use a Pix 525 with
6.1 IOS. My one mail server is on an interface with security level 20 and
my Unix
Syslog, syslog, syslog. Review your log data from the Pix and determine what
the fate of this traffic is. Do you see denies associated with this IP
address? Doe it show successful connections built? Try setting your logging
to
Logging Trap informational
Logging on
Logging 192.168.0.5
Here is an
Hi ,
I have observed that ISA when configured with web publishing rules,
starts listening on a wide range of TCP as well as same range of UDP
ports.Is it by design or there's something wrong with my system coz i
have observed similar thing in exchange 2000 OWA server too.
rgds
Madhur
Marc,
Some of this is by design.
In the Pix traffic Flows from interfaces of a higher security level to
ones of a lower level as long as there is not a rule to deny it
(Outbound/apply or ACL). For example a simple, but nt recommended, solution
is to add conduit ICMP permit any any. This will alow
Marc,
Version of PIX OS?
Sounds like from the error that the IIS server cannot access the DB. Did
you create ACLs from DMZ to inside? Did you test that access over the SQL
ports?
Liberty for All,
Brian
At 11:05 PM 1/31/2002 -0800, [EMAIL PROTECTED] wrote:
Message: 8
Subject: SQL and web
Hi all,
I have installed checkpoint 4.1 on solaris 7 with GUI on 2000 machine.
And i have to use NAT rules.
I know by using fwxlconf we can configure NATing rules and it will update the file
xlate.conf, the rule works also.
and from the GUI also we can give the NAT rules
I want to know if we
Don...
I think you yourself already explained what is seen as a proxy...
If you want to go into more detail on the exact products features
you can look at the appropriate documentation of the product
itself and then you can ask for personal experience about the
product on this list...
Most of
To: [EMAIL PROTECTED]
From: Inaki Agirre [EMAIL PROTECTED]
Subject: SunScreen IP change
Hi,
I need help with a FW re-configuration operation. I would thank any advice.
Problem:
We have a HA (two hosts) SunScreen EFS 3.0b FW which makes NAT and is the
GW of our LAN. We want to put an HA Level
Hello list,
Has anyone ever used a Cisco PIX 501 before? It looks like a nice router
to me, but I would like to hear what people (not Cisco sales people) have to
say about it. I'm thinking about purchasing one for my home network and
putting the one I have now (NetGear RO318) on my internal
2nd answer to the problem,
Just because ICMP works, doesn't necessarily mean TCP is working, and
TCP port 1433 is the ticket for MS web and MS SQL to work. That said,
let's consider for a moment that your NAT and access lists are
configured to pass all traffic on all ports. If that is the case
That is your message ID. This is created by your mail transfer agent. In
this case, sendmail created that number.
--truman
- Original Message -
From: Jeremy
To: Firewall
Sent: Wednesday, January 30, 2002 1:32 PM
Subject: is this normal?
Hi, i havent seen this garbarge added to to logs
I, too, have been curious about this aspect of HA.
If you have a firewall product that tracks continuous session
information like Sequence numbers, on a heavily loaded FW doesn't the
synchronization of the session table to the standby machine cause
considerable performance issues? That is,
Well, it may be free, but consider this: Linux is open source, right?
Anyone who wants to can figure out the holes that exist (and yes, they
do exist) and exploit them, since the source is available to all. This
is of course true with ANY firewall. A programmer that writes code for a
specific
Use the SMTP Gateway on the DMZ. It's pretty painless to set up and it
works great. IIS SMTP forwarding in Win2K is super quick to config. If
you want even better failsafe email, tell your ISP to store-forward your
email that way in the event of a loss-of-service between your ISP and
your email
Erik,
..snip..
If you have a firewall product that tracks continuous session
information like Sequence numbers, on a heavily loaded FW doesn't
the
synchronization of the session table to the standby machine cause
considerable performance issues?
..snip..
First...
What I told about the sequence number stuff was partially true
read these 3 links and you will get a bit more info about it
http://www.camtp.uni-mb.si/books/Internet-Book/TCP_ISN.html
http://www.camtp.uni-mb.si/books/Internet-Book/TCP_SEQPrediction.html
Title: RE: SMTP through firewall
Rick,
Why not use Checkpoint's SMTP relay?
We use this talking directly to a Mail sweeper which in turn forwards to Exchange.
FW--Sweeper--Xchg
This means the outside world only ever talks to Checkpoint which does a reasonable job of checking for dodgy
Nobody was ever fired for buying from $BIG_CORPORATION. But I'd like to
point out a security weakness on your judgement.
A programmer that writes code for a specific firewall product would know
the holes that exist, and could exploit them.
Please search google.com: Microsoft engineers are
Hey Rick,
take a look at the BorderWare Mail Gateway. Real
nice SECURE Mail Server, you can put in parallel
to your FW to off load SMTP traffic. Also, you can
get the TrendMicro option on it, instead of having
the VirusWall on your exchange. Also, it can
interface with your internal server for
Luis,
Very well said, could have not said it better myself.
Steven
*** REPLY SEPARATOR ***
On 2/1/2002 at 5:05 PM Luis Filipe Bruno wrote:
Nobody was ever fired for buying from $BIG_CORPORATION. But I'd like to
point out a security weakness on your judgement.
A programmer
Hi ,
I have observed that ISA when configured with web publishing rules,
starts listening on a wide range of TCP as well as same range of UDP
ports. And these port range do remain static.
Is it by design or there's something wrong with my system coz i have
observed similar thing in exchange
Title: RE: SMTP through firewall
Luke,
I couldn't agree more. I ran that for a client for
just over a year and it's flawless. You never actually see the MS-Exchange
box from the Internet, and you can set the CheckPoint box to do a lot of the
mail header and relay filtering.
Use
the FW-1
Ahh..yes. The ODBC Driver, are you using named pipes or are you using
TCP/IP only? I would strongly suggest turning OFF \\.\named pipes are it is
a nightmare to get it to work through a firewall. Not sure about a PIX(ie
stick) but the CheckPoint FW-1 did give me grief for some time.
Good
Anyone have some good process steps for auditing a firewall?
Thanks,
Jeff
___
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
I have a PIX 501 that I am trying to get configured to use PAT on a single
outside IP address that is DHCP assigned, but allows for inbound connections
(i.e. www, ftp, dns, etc.). It is running PIX OS 6.1(1). I have it
configured as follows:
PIX Version 6.1(1)
nameif ethernet0 outside security0
additionally, audit the OS the firewall run on as well as the
configuration of the firewall you are running, make sure the OS does not
allow protocols the firewall does not handle and that the firewall has not
been configured as a mere open router...one might wish to thest the
firewall from the
As far as I recall Cisco port aliases assign ftp= tcp 21 and ftp-data=
tcp 20. Ftp-data being used to enable FTP/HTTP server connections to
function properly.
Try adding a static mapping port 21 ie. ftp.
You may also want to change your ftp fixup to:
fixup protocol ftp strict 21
This prevents
As soon as I add a static mapping (for whatever reason), the PIX stops
passing all outbound traffic except that traffic from the IP address in the
static mapping. I think this is because it can't do PAT and a STATIC mapping
to the same IP address. I would need 1 IP address to pull it off
I seem to remember seeing that 6.x had support for
port redirecting, have you looked for this/at this?
--- Noonan, Wesley [EMAIL PROTECTED] wrote:
As soon as I add a static mapping (for whatever
reason), the PIX stops
passing all outbound traffic except that traffic
from the IP address in
The Seven web-site http://www.seven.com is VERY short on security
information and doesn't define what equipment will work with their gear.
According to the Cingular brief: Cingular sets up an SSL tunnel or full
VPN between its (Cingular's) network and the corporate network. Installed
on the
Yeah, that's what I am doing (I think) with the static statements I have. It
works pretty good, except for FTP clients that don't support PASV. If I turn
of the fixup protocol, it works with all FTP clients, but then none of my
outbound FTP requests will work...
It's mildly annoying, as all of
It is supported, see:
http://www.cisco.com/warp/public/707/28.html
It was first implemented on IOS Firewall, and I have personally used it
there. And, yes that is what you are doing :).
I thought of a security warning regarding fixup protocol ftp 21
On Fri, 1 Feb 2002, Marc Sahr wrote:
Well, it may be free, but consider this: Linux is open source, right?
Anyone who wants to can figure out the holes that exist (and yes, they
do exist) and exploit them, since the source is available to all. This
is of course true with ANY firewall. A
Fellow Hacks,
I hate to throw gas on a fire, but I have been a Linux user for years. I
have seen
so many e-mails flying over the alias (this one included) about this scam
called
open source. We have seen all the bird cage liners touting the socialist
revolution
of open source! Blah Blah Blah.
I hate to dignify this troll with a response so I'll keep it short.
the licence is such that legaly they would not be able to do this. they
could force people to stop useing the name linux (which is a trademark),
but the code itself is not owned by any one person (read through it and
see all the
one word: licencing
(and yes, i am canadian, so i can spell it that way)
ask a lawyer the same question and i am sure that you could get a more thorough answer
basically, it is not legal for linus to sell linux because it is distributed under the
GPL .. so your question is not as rhetorical
Not to pick on Scott here, but what does this have to do with Firewalls?
Surely there is a Linux/Windows pissing contest mailing list somewhere that
this would be better suited in... :-)
Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
(apologies for cross-posting)
Please help forward to interesting persons
Call for papers
(1).2002 International Conference on Information
and Knowledge Engineering (IKE'02) June 24-27, 2002
Las Vegas, Nevada, USA
and
(2). Special Session on Knowledge Representation and
You are quite correct,
Browsing doesn't depend on WINS, however browsing benefits from WINS. Because WINS can
hold information about different domains/workgroups and their browse masters. This can
also be done by using lmhosts-file but that is a bit awkward.
So best solution for Browsing
Hi there!
I was wondering maybe somebody can help me with a Nokia IP2330 box, which I just received as a present, since it was going to be trashed... due to the fact never was even used.
Well the fact is that I received just the box, and no documentation which means I do not have the login nor
We had a PIX 515 Firewall version 5.1,
1 outside interface, 5 inside interfaces
We do not use NAT between the inside interfaces themselves,
just static. We only use NAT to go oustide ( from one inside interface
to the outside )
We experienced very strange problem.
The configuration is working
Hi,
I've bought a SonicWall Pro and there seems to be a problem with it hanging.
It appears to be doing it every 24 hours and can only be reset with a hard
reset. No attacks appear in the log but it seems that all the connections on
the firewall just fill up and then it just dies.
Any ideas?
I was hoping that someone could give me a hand to open up a couple of ports
on our firewall. We need to have ports 443 and 1024 open up for a software
program that access the internet.
What is the best way and most secure to do this? Please if you could send
the actual command lines that
I work for a large corp., I only have intranet
access. When I attempt to log on to a foreign site I am asked for a user
name and password. How can I forego this problem to gain full internet
access? I appreciate any response. Squirrel
My company is looking to purchase a firewall; we are looking at the
Watchguard 4500 and the Cisco PIX 515. Our communication lines that
we use are 3 T1 lines. We have 14 employees in the office and a
development website. When the website goes live it could have 500
concurrent users on it.
Hi all,
We are designing a redundant connection to an external network via different
locations. Both connections are protected with a firewall (PIX).
It seems that the only way to make this setup work is to talk a routing
protocol (BGP) between our internal and our external router through the
Has anyone worked with Extreme Networks Summit24e3 and Summit24e2.
Do you like them or not??
Thanks Beldon
___
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
49 matches
Mail list logo