On the GNAC firewall list [EMAIL PROTECTED] wrote:
>Hi Luc,
>
>If the TFTP server is internal to your network, then you should not need to
>alter your security policy.
Maybe you have a real security policy, one that restricts access
from the internal network as well as from the external network.
It would have to be applied to something else than the PIX,
though, as according to my (extensive) testing, the PIX does not
check its outbound/conduit access lists for communications sent
to or from it.
Regarding a related question, I sent a 9kB PIX bug report to the
psirt on Nov 10, 1999, entitled "PIX vulnerable to trivial IP
address spoofing"; I have yet to receive any response other then
"We will investigate this and report back to you as soon as we
can."
I'm still waiting.
PS: For those who are wide-eyed, the bug in question exists
only in certain rare and often unwise configurations, would
be extremely difficult to exploit in any manner, and I cannot
believe it exists with the new access-list commands. But it's
there.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
