The company I work for is using a PIX firewall as its first line of defence.
The only conduits within the PIX configuration are to allow traffic to port
80 and port 443 destined for our DMZ. This should mean anything else is
disallowed.
However, we have found that echo requests FROM any host residing on the
network connected to the PIX external interface TO a particular webserver on
our DMZ are allowed to pass through the PIX. Echo requests TO any other host
on the DMZ are dropped and echo requests FROM any hosts that are not on the
network connected directly to the PIX external interface TO the webserver
are dropped.
Have I misunderstood the static command or is this a bug??
Below is the applicable data from my config file (sanitized):
static (inside,outside) 195.X.Y.71 195.X.Y.71 netmask 255.255.255.255 0 0
conduit permit tcp 195.X.Y.64 255.255.255.192 eq 443 any
conduit permit tcp 195.X.Y.64 255.255.255.192 eq www any
195.X.Y.71 is the webserver that echo requests are being allowed to.
The Class C address range 195.X.Y.Z is used for the internal network and
external networks with a subnet mask of 255.255.255.240.
Sorry if that is as clear as mud! I think the problem is the static line but
can anyone explain?
Thanks
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
