firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Pix Inbound NAT (Julian M. Dragut)
2. Re: 2nd Life (Brian Loe)
3. Re: FYI: DDOS services for sale... (Dave Null)
----------------------------------------------------------------------
Message: 1
Date: Mon, 12 Nov 2007 10:56:43 -0500
From: "Julian M. Dragut" <julianmd@gmail.com>
Subject: Re: [fw-wiz] Pix Inbound NAT
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8118617d0711120756v1e97dc89yf9a1e73e4a65c3d6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Sivakumar,
If you want to allow traffic coming to an interface, the the ACL needs
to apply to the interface.
In your case, the out2in ACL is bound to the inside interface, and it
should be applied to the outside.
ACL's apply to the incoming traffic towards an interface. Think of PIX
as a box, and you inside it. Which interface will the traffic come
into the box through? (in your case through the outside interface)
Then you need to apply the ACL to that Interface.
In regards to the NAT with ACL, a correct command will be:
nat (inside) 0 access-list "name" - which translates to - for the
"inside" hosts declared in the access-list "name , please do not do
any NAT.
In your case, you need bidirectional NAT, and the command should be
nat (outside) 0 access-list out2in
----****-----
access-list out2in permit tcp 1.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-group out2in in interface outside
nat (outside) 0 access-list out2in
Julian M. Dragut
On Nov 12, 2007 4:57 AM, sivakumar <siva_itech@yahoo.com> wrote:
>
> Hi,
>
> I just want to allow flows from Outside to Inside on Pix ver 6.3. I'm
> totally confused since it doesn't allow me to perform the operation. Please
> check the configs below and guide me if its wrong.
>
> interface inside securtiy level 100
> interface outside securtiy level 60
>
> access-list out2in permit tcp 1.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
> access-group out2in in interface inside
>
> nat(inside) 0 access-list out2in outside ----> is that outside required n
> tell me y it is used?
>
> And further should i need to apply this to my Outside interface or inside
> interface. i want the addresses to be sent as such without Natting to my
> internal network.
>
> --
> View this message in context: http://www.nabble.com/Pix-Inbound-NAT-tf4737527.html#a13547961
> Sent from the Firewall Wizards mailing list archive at Nabble.com.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 2
Date: Mon, 12 Nov 2007 10:28:43 -0600
From: "Brian Loe" <knobdy@gmail.com>
Subject: Re: [fw-wiz] 2nd Life
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0711120828l41c93365ub70e7c0d132baf6c@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On Nov 12, 2007 12:27 AM, DRISCOLL, ROBERT <ROBDRI@safeco.com> wrote:
> To All:
>
> It would appear that the security concerns have been heard by our
> management and the request is off the table for now. Apparently the main
> drivers for the request was the virtual conferencing capabilities and
> marketing.
>
> <SNIP>
>
> Thanks for all your comments, this post generated a lot of interesting and
> diverse opinions.
>
I'm glad to hear the news and hope that my comments weren't *actually taken
as negative by you as others took them in your stead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071112/702ee912/attachment-0001.html
------------------------------
Message: 3
Date: Mon, 12 Nov 2007 08:29:57 -0800
From: "Dave Null" <noid23@gmail.com>
Subject: Re: [fw-wiz] FYI: DDOS services for sale...
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<956f3b8e0711120829s30ca061fx87f9fd58d133f816@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Sadly, unless they attack 'high profile' targets they pretty much do
get away with it. I would hope that various law enforcement agencies
would be concerned about people operating botnets that can number into
the 500k+ range, but a lot of them still view the whole thing as geeky
teenager shenanigans. This topic came up at a quarterly meeting I
attend and an FBI agent sitting near me said openly 'Well, why don't
contact us when these things happen' and that person was slammed with
a battery of 'because you don't do anything, nor do you care'. The
agent didn't agree with this assessment, but at the same time couldn't
think of any cases where DDoSers had gotten nailed for hitting the
'little guys'. As they said in the movie Mega Force, deeds..not words.
I think the biggest problem overall is that the botnet operators keep
their bots in countries that either don't understand or don't care
(and in a few cases, I wouldn't be surprised to find that their
botnets are state sponsored). At that same meeting I attended there
was a great presentation on botnets and the presenter explained the
challenges and frustration of trying to find relevant agencies and
helpful people to listen to his issues. However, he did come up with
two good points I'll pass along.
1. Look for regional CERT organizations. They, since they are in the
region and are computer security folks, will have a clue and will
probably be able to point you to the correct law enforcement agency.
2. If you are American*, call that country's US embassy and ask to
speak to the Security Director. Its the SD's job to be in touch with
various local law enforcement. The presenter said he had great results
talking to the regional SD on an issue
*Basing that off his experience, not sure how other countries set up
their embassies, but may work for you too. YMMV
-noid
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 9
***********************************************
No comments:
Post a Comment