Hi Bayard,
The PIX by default denies all inbound traffic, unless specifically
permitted. No additional rules are needed to block ICMP, provided you are
using a relatively recent software version.
Just a point of clarification.
Thanks,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 02:29 PM 1/18/2000 -0500, Bayard G. Bell wrote:
>David:
>
>I don't know much of anything about PIX, but I think I can still
>extrapolate your problem from the ruleset info you provided. Anyone
>with PIX experience is welcome to correct me or make additional
>clarifications. If ICMP requests of any type are getting through, this
>is because ICMP has a different protocol ID in the IP header and thus
>would not be covered by TCP filtering or static NAT rules you gave as
>governing ICMP (the conduit shouldn't have any problem passing ICMP down
>to the translated address). You will have to add additional rules if
>you want to filter ICMP.
>
>I am interpolating from your message that you want to filter all ICMP.
>Please note that there will be negative consequences to filtering all
>ICMP and that you will probably need more granularity if you wish to
>avoid or reduce these consequences. What you want to look at is
>filtering by ICMP messages or even codes. This topic was covered in
>some depth a while back on this list (August/September with subjects
>"ICMP filtering", "More on ICMP filtering" and "filtering ICMP *codes*
>with PIX?"). Please see:
>
>http://lists.gnac.net/firewalls/archive.html
>
>for a hypertext interface to the list archives.
>
>-BGB
>
>David Calder wrote:
> >
> > The company I work for is using a PIX firewall as its first line of
> defence.
> > The only conduits within the PIX configuration are to allow traffic to port
> > 80 and port 443 destined for our DMZ. This should mean anything else is
> > disallowed.
> >
> > However, we have found that echo requests FROM any host residing on the
> > network connected to the PIX external interface TO a particular
> webserver on
> > our DMZ are allowed to pass through the PIX. Echo requests TO any other
> host
> > on the DMZ are dropped and echo requests FROM any hosts that are not on the
> > network connected directly to the PIX external interface TO the webserver
> > are dropped.
> >
> > Have I misunderstood the static command or is this a bug??
> >
> > Below is the applicable data from my config file (sanitized):
> >
> > static (inside,outside) 195.X.Y.71 195.X.Y.71 netmask 255.255.255.255 0 0
> > conduit permit tcp 195.X.Y.64 255.255.255.192 eq 443 any
> > conduit permit tcp 195.X.Y.64 255.255.255.192 eq www any
> >
> > 195.X.Y.71 is the webserver that echo requests are being allowed to.
> > The Class C address range 195.X.Y.Z is used for the internal network and
> > external networks with a subnet mask of 255.255.255.240.
> >
> > Sorry if that is as clear as mud! I think the problem is the static
> line but
> > can anyone explain?
> >
> > Thanks
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
