Hello,
One of our small subsidiary needs to install a firewall. We use to work
with Checkpoint products but this subsidiary has been contacted by a
local Sonicwall distributor. They try to sell them a Sonicwall Soho2.
We have no knowledge of this product, and I am wondering how it compares
to
Well, first thing to understand is that Sonicwall is transparent bridge
not a router.
This means that you will have to think differently with Sonicwall when
you are making your routing considerations. Sonicwall is capable of
generating ICMP redirect messages which is somehow called routing but
Hello everybody !
I am newbie on this mailing list and I am looking for some kind of
documents which compare
CheckPoint FireWall-1 and Cisco PIX / IOS, I mean good points and bad
points of both products to help
me making a choice in my architecture.
Thanks by advance and happy new year.
Gilles
Hello,
Cisco routers access lists allow the administrator
define if the list must be applied to the INcoming
or OUTcoming traffic of a given interface.
It seems that PIX access lists dont permit that.
So, my question is: if I bind a list to a interface,
this list is applied against the
Hello again,
Sorry if this is a stupid question.
I´ve been reading the PIX docs and it´s written
that PIX is stateful.
Let´s suppose that a host (behind the internal
interface) queries a DNS server that is located behind a outside
interface.
By default, all traffic that comes from the inside
Does anyone on this list use SmoothWall?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
___
Firewalls mailing list
[EMAIL PROTECTED]
I'm not sure how much to make of this problem, but I know it makes me
feel uneasy. Perhaps this has been discussed a lot, but I suspect
the problem is not well known; it was certainly a surprise to the on-
duty technician at the company that does our firewall support.
Unless you tell the FW-1
-Original Message-
From: Edson Yamada [mailto:[EMAIL PROTECTED]]
Sent: quarta-feira, 9 de Janeiro de 2002 12:32
To: lista fw
Subject: Stateful inspection on PIX
Hello again,
Sorry if this is a stupid question.
I´ve been reading the PIX docs and it´s written
that PIX is stateful.
It's applied only to traffic entering in the interface
Regards
BF
-Original Message-
From: Edson Yamada [mailto:[EMAIL PROTECTED]]
Sent: quarta-feira, 9 de Janeiro de 2002 12:28
To: lista fw
Subject: PIX Access list
Hello,
Cisco routers access lists allow the administrator
define if
Hi.
I have pix 525 with 4 ethernets.
1 ethernet= inside (10.10.10.1/24)
2 ethernet= real (IP internet z.x.w.q/24)
3 ethernet= outside (IP internet a.b.c.d/24)
route default is a.b.c.x
I have the next rules:
conduit permit icmp any any
nat (real) 0 z.x.w.r 255.255.255.255
the ethernet real
I have been using it before i disovered astaro(home network)
why?
/F
- Original Message -
From: Phil Labonte [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 09, 2002 2:50 PM
Subject: Smoothwall
Does anyone on this list use SmoothWall?
At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote:
Well, first thing to understand is that Sonicwall is transparent bridge
not a router.
The Sonicwall Soho (not 2) that I have had for a couple of years is a
router. It also does NAT and a set of firewall filtering functions.
The device is
Connections on the Pix are defined as either from lower to higher
security level or higher to lower security level.
Lower to higher security connections are controlled by the access-list
and access-group commands.
Higher to lower security connections are controlled by nat and global
commands.
While in general I would agree with you - that the NETBIOS name is useless.
The way to fix this, is of course, to run the firewall and/or management
console on LINUX or SUN rather than on WinNT. :-)
Dan
-Original Message-
From: Jim Rosenberg [mailto:[EMAIL PROTECTED]]
In my opinion,
If you get fed up with SPAM and script kiddies just:
access-list reject_all deny ip 210.0.0.0 255.0.0.0 any
access-list reject_all deny ip 211.0.0.0 255.0.0.0 any
hmm, who next, I think I remember some BO scans from poland last week...
access-list reject_all deny ip 195.0.0.0 255.0.0.0 any
On Wed, 9 Jan 2002, Jim Rosenberg wrote:
1. It looks in its list of Network Objects to see if you've given a
name to this IP address. If it finds one, it will use this one,
regardless of other methods of resolving the address.
2. It queries the IP address in question trying to resolve
Well you left out some info. first off what are the
security levels for ethernet2, and ethernet 3. Are you
using syslog? what is the pix logging when you try the
ping that fails?
Also can you show all nat, global, and static rules
for eth2, and eth3.
--- Johnny Gonzalez [EMAIL PROTECTED] wrote:
Because this is a firewalls list, this thread can serve as a good segue
into a question about switch security that has been on my mind for some
time:
Most switches support remote management features like web interfaces,
SNMP, telnet, etc. If these switches hacked, someone can not only cause a
-BEGIN PGP SIGNED MESSAGE-
Cisco Security Advisory: Multiple Vulnerabilities in Cisco SN 5420 Storage
Routers
Revision 1.0
For Public Release 2002 January 09 08:00 (UTC -0800)
Summary
Three
In the PIX configuration Access Lists are for outbound traffic. Use the
Conduit command for inbound controls.
Message: 3
Date: Wed, 9 Jan 2002 10:27:49 -0200 (BRST)
From: Edson Yamada [EMAIL PROTECTED]
To: lista fw [EMAIL PROTECTED]
Subject: PIX Access list
Hello,
Cisco routers access lists
Yes the PIX will allow the answers to the DNS queries back in without any
other configuration.
Message: 4
Date: Wed, 9 Jan 2002 10:32:19 -0200 (BRST)
From: Edson Yamada [EMAIL PROTECTED]
To: lista fw [EMAIL PROTECTED]
Subject: Stateful inspection on PIX
Hello again,
Sorry if this is a stupid
In newer PIX code (5.3x + I think) you can use access-lists both ways...you can do
away with conduit commands all together if you wish..
cheers..
Chew, Freeland (Roanoke) [EMAIL PROTECTED] 01/09 12:34 PM
In the PIX configuration Access Lists are for outbound traffic. Use the
Conduit command
On Wed, 9 Jan 2002, Ken Milder wrote:
Because this is a firewalls list, this thread can serve as a good segue
into a question about switch security that has been on my mind for some time:
Most switches support remote management features like web interfaces, SNMP,
telnet, etc. If these
Ok let me clarify something, I sense a bit of confusion here..
You need to free yourself from this INcomming/OUTgoing concept you are using, when
referring to the PIX ok?
Because you can only ever see ONE interface depending on which side of the device
youre on (if your architecture is
Not a stupid question at all,
The default configuration will let DNS queries pass yes..However if you use the
defualt config, you might as well put your PIX back in the box and return it, and get
your 15k back.
You need to create access lists to DENY EVERYTHING. first. Then add access-lists
I don't understand what you are saying. Are you suggesting that you simply
unpack your switches and plug them into the network right from the box?
Please don't say it's so, you've posted a lot of good thoughts in the
past, and I can't believe you'd actually suggest that now.
Bear in mind that a
Please unsubscribe me from your list for the last time.
Curtis Hunt
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 09, 2002 3:54 PM
To: [EMAIL PROTECTED]
Subject: Firewalls digest, Vol 1 #449 - 9 msgs
Send Firewalls mailing list
Paul,
Thanks for your comments. You must have a small network. We have several
hundred subnets and thousands of nodes. Gathering traffic statistics,
installing patches and software upgrades, trouble shooting, and other
network management functions make remote management of our switches
On Wed, 9 Jan 2002 [EMAIL PROTECTED] wrote:
I don't understand what you are saying. Are you suggesting that you simply
unpack your switches and plug them into the network right from the box?
No, I'm saying that I've always tried to avoid plugging in a switch which
was configured to talk IP on
On Wed, Jan 09, 2002 at 05:12:25PM -0500, Hunt, Curtis wrote:
Please unsubscribe me from your list for the last time.
I think this URL, given in every mailing from the list, will help you:
To subscribe or unsubscribe via the World Wide Web, visit
Actually DNS Guard in the PIX only allows one (the first) DNS response
back. All others are dropped.
At 01:53 PM 1/9/2002 -0800, Chew, Freeland (Roanoke) [EMAIL PROTECTED] wrote:
Message: 4
From: Chew, Freeland (Roanoke) [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject:
On Wed, 9 Jan 2002, Ken Milder wrote:
Paul,
Thanks for your comments. You must have a small network. We have several
I've built and run networks from the tens of devices to the tens of
thousands.
hundred subnets and thousands of nodes. Gathering traffic statistics,
installing patches and
I no use syslog.
I have this configuration in my pix:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 real security10
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside x.y.z.130 255.255.255.192
ip address inside
Doesnt it make ya just wanna go hug it?
Brian Ford [EMAIL PROTECTED] 01/09 2:29 PM
Actually DNS Guard in the PIX only allows one (the first) DNS response
back. All others are dropped.
At 01:53 PM 1/9/2002 -0800, Chew, Freeland (Roanoke) [EMAIL PROTECTED] wrote:
Message: 4
From: Chew,
Curtis,
You are sending your request to the wrong address. As you can see in the
e-mail you included, you need to send subscribe/unsubscribe requests to
'[EMAIL PROTECTED]'. You are sending your e-mail to the
mailing list submissions address.
Greg S.
Get rid of:
nat (real) 0 q.w.r.5 255.255.255.255 0 0
nat (real) 0 q.w.r.6 255.255.255.255 0 0
nat (real) 0 q.w.r.7 255.255.255.255 0 0
Instead use:
nat (real) 0 access-list real
access-list real permit ip 10.10.10.0
255.255.255.0 q.w.r.5 255.255.255.255
access-list real
Thanks, i resolve the problem with the next line.
global (real) 1 q.w.r.4
And the users in inside see the user in the real.
i use PAT
the lines of nat in real is in use.
On Wed, 2002-01-09 at 18:32, Glenn Shiffer wrote:
Get rid of:
nat (real) 0 q.w.r.5 255.255.255.255 0 0
nat (real) 0
Get rid of:
nat (real) 0 q.w.r.5 255.255.255.255 0 0
nat (real) 0 q.w.r.6 255.255.255.255 0 0
nat (real) 0 q.w.r.7 255.255.255.255 0 0
Instead use:
nat (real) 0 access-list real
access-list real permit ip 10.10.10.0 255.255.255.0 q.w.r.5
255.255.255.255
access-list
HI there,
When an internal machine attempts to connect to a webserver thru a firewall
(linux iptables) what is the exact mechanisim?
Is there a good explaination on the net?
Please correct me if I'm wrong, my understanding is the internal machine's
browser tries to connect to www.redhat.com
I'm seeking some help from a PIX expert.
I have the following configuration
^ To Internet,head router (2)
I
I 215.x.x.1 (external PIX address)
---
| PIX
515 |
| V 6.1
|
---
I 192.168.21.1 (internal IP Address)
I
I 192.168.21.2
Robert, to comment on the first half of your posting at least (the maths
of cryptography is still something I haven't explored)...
On Sun, Jan 06, 2002 at 06:30:16PM -0500, [EMAIL PROTECTED] wrote:
Last summer my PC was attacked by a malicious hacker who used a Trojan
Horse NetBus. My Norton
I hope i am writing this to someone who can assist me. I am trying to find out why my
cisco pix 515 firewall keeps freezing. the problem has been around for some time now
and is getting worse as we are getting an increase in traffic.
Some Cisco Pix 515, 515-DC and 506 Firewalls have suffered
Yes it is possible to track
a hacker but unless you have proof and can trace it to someone in the US it's a
moot point. If you want to trace an attacker you should have the
following:
1. An active intrusion
detection system (IDS) that can perform a trace back to the source regardless of
the idea of glenn is fine, but the interface real has a lower security
level than inside.
therefore you must replace
nat (real) 0 access-list real
by
nat (inside) 0 access-list real
your global entry for interface real is another way, depending on you,
what ever you want.
dirk
Johnny
first: welcome to past! what's about your date? or was the mail hanging
some days at a mailserver?
there are some mistakes inside the configuration.
did you have tested a connection from network 10.10.10.x to the
internet?
you have mixed 3 types of nat. the priority is
nat (...) 0 access-list
45 matches
Mail list logo
