Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Opinion: Worst interface ever. (Darren Reed)
2. Re: Opinion: Worst interface ever. (Paul D. Robertson)
3. Re: Cisco PIX Version 6.3(3) SMTP Problem (Paul D. Robertson)
--__--__--
Message: 1
From: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
To: "Paul D. Robertson" <paul@compuwar.net>
Date: Wed, 6 Jul 2005 12:15:03 +1000 (EST)
Cc: "Marcus J. Ranum" <mjr@ranum.com>, firewall-wizards@icsalabs.com
> On Tue, 5 Jul 2005, Marcus J. Ranum wrote:
>
> > That's a chip-head thing, Paul. Remember - it's all about performance,
> > not security. By re-ordering the ruleset the firewall can evaluate the
> > rules in the fastest possible manner. I had this explained to me once
> > by an engineer who builds ASIC firewalls for a living - he thought it was
> > a very cool optimization.
>
> I don't mind the optimization[1], I mind the fact that the UI won't tell
> me how the rules are optimized. I mind that I can't seem to find the
> logging software on the disk the UI came on, so I can't even see what the
> heck rule is making the box send out ICMP port unreachables. I mind that
> following the instructions doesn't produce the results I expect.
>
> If I ever have to audit one of these things, I'm charging extra.
How do you audit firewall-1 ? Do you ask the kernel module for the rules
*it* has loaded or do you just accept what the gui gives you ?
Does FW-1 tell you how it optimises rules when it compiles your ruleset ?
Or does auditing fw-1 primarily revolve around testing ?
For me, being able to audit the loaded configuration against what's
in a configuration file has been the primary design goals of ipfilter.
Darren
--__--__--
Message: 2
Date: Wed, 6 Jul 2005 08:46:49 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Darren Reed <darrenr@reed.wattle.id.au>
Cc: "Marcus J. Ranum" <mjr@ranum.com>, firewall-wizards@icsalabs.com
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
On Wed, 6 Jul 2005, Darren Reed wrote:
> How do you audit firewall-1 ? Do you ask the kernel module for the rules
> *it* has loaded or do you just accept what the gui gives you ?
Absent any indication that there's stuff going on that shouldn't be, what
the GUI gives out should suffice if you're also testing with live packets.
> Does FW-1 tell you how it optimises rules when it compiles your ruleset ?
> Or does auditing fw-1 primarily revolve around testing ?
>
In theory, optimization should impact performance (which is why ordering
rules is important)- rejecting the biggest pile of rejects or accepting
the largest amount of permitted traffic first should speed things up. If
optimization changes behavior, then things get um, "interesting"- which is
why knowing what fields optimize over others is crucial, but knowing
which addresses take precedence over others is just nice to have.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 3
Date: Wed, 6 Jul 2005 08:51:15 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: "David M. Nicksic" <dnicksic@mossbaygroup.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
On Tue, 5 Jul 2005, David M. Nicksic wrote:
> I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> Postini is employed. I want to deny all SMTP traffic unless it comes from
> one of the Postini servers. Can the PIX be configured to accomplish this?
>
Almost any firewall can, however you'll be out of e-mail if the provider
has to put up a new server because of an attack, failure, problem or
address change. It's probably better to configure your mail server to
reject based on forward/reverse lookups, since you're dealing with one
zone, you'll be able to cache the lookups pretty well.
Note that Postini rejects mail if your server isn't reachable by it- so
it's not all that resilient if you're under attack or having server
issues[1]. Personally, I'd rather run Mailscanner on a Postfix instance
than
outsource something as critical as e-mail.
Paul
[1] Theoretically most things will retry, but you may want to test
critical pager/cell/alert stuff to make sure it won't just give up if
you're under conditions where contacting you becomes important.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment