David:
I don't know much of anything about PIX, but I think I can still
extrapolate your problem from the ruleset info you provided. Anyone
with PIX experience is welcome to correct me or make additional
clarifications. If ICMP requests of any type are getting through, this
is because ICMP has a different protocol ID in the IP header and thus
would not be covered by TCP filtering or static NAT rules you gave as
governing ICMP (the conduit shouldn't have any problem passing ICMP down
to the translated address). You will have to add additional rules if
you want to filter ICMP.
I am interpolating from your message that you want to filter all ICMP.
Please note that there will be negative consequences to filtering all
ICMP and that you will probably need more granularity if you wish to
avoid or reduce these consequences. What you want to look at is
filtering by ICMP messages or even codes. This topic was covered in
some depth a while back on this list (August/September with subjects
"ICMP filtering", "More on ICMP filtering" and "filtering ICMP *codes*
with PIX?"). Please see:
http://lists.gnac.net/firewalls/archive.html
for a hypertext interface to the list archives.
-BGB
David Calder wrote:
>
> The company I work for is using a PIX firewall as its first line of defence.
> The only conduits within the PIX configuration are to allow traffic to port
> 80 and port 443 destined for our DMZ. This should mean anything else is
> disallowed.
>
> However, we have found that echo requests FROM any host residing on the
> network connected to the PIX external interface TO a particular webserver on
> our DMZ are allowed to pass through the PIX. Echo requests TO any other host
> on the DMZ are dropped and echo requests FROM any hosts that are not on the
> network connected directly to the PIX external interface TO the webserver
> are dropped.
>
> Have I misunderstood the static command or is this a bug??
>
> Below is the applicable data from my config file (sanitized):
>
> static (inside,outside) 195.X.Y.71 195.X.Y.71 netmask 255.255.255.255 0 0
> conduit permit tcp 195.X.Y.64 255.255.255.192 eq 443 any
> conduit permit tcp 195.X.Y.64 255.255.255.192 eq www any
>
> 195.X.Y.71 is the webserver that echo requests are being allowed to.
> The Class C address range 195.X.Y.Z is used for the internal network and
> external networks with a subnet mask of 255.255.255.240.
>
> Sorry if that is as clear as mud! I think the problem is the static line but
> can anyone explain?
>
> Thanks
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
