Friday, December 19, 2008

firewall-wizards Digest, Vol 32, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: accessing SMTP server via the translated address (Chris Myers)


----------------------------------------------------------------------

Message: 1
Date: Fri, 12 Dec 2008 20:14:02 -0600
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: rudy@rudal.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <FDD2FEC4-73E3-4836-93F3-5A731698370B@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"

You cannot do it conventionally. The firewall sees it as a spoofed
address. You cannot go out to the internet and back in the same
interface for a stateful connection. The state table sees the packet
out of state. Why do you want to go to the outside address, since you
are on the same subnet? You should be accessing this from L2. I also
would get your SMTP server to a DMZ and off your inside, as this is
insecure. You are leaving your whole inside network open to attack if
the SMTP server is compromised. You could get a proxy on the outside
to point to your SMTP server for SMTP traffic. That way a state can be
created with a SYN from the proxy to your SMTP IP. Another is same-
security-traffic permit {inter-interface | intra-interface} using the
intra-interface, but this renders the spoofing useless and with the
possibility of a compromise, now the possibility of the attacker
spoofing your subnet for everything on the network he/she attacks. A
log nightmare and hard to determine what is legitimate traffic vs.
malicious. It is new and I have not used it a lot, since I do not have
those configurations in front of me I cannot say conclusively this
will work.


Thank You,

Chris Myers
clmmacunix@charter.net

John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.


Go Vols!!!!

On Dec 12, 2008, at 3:17 AM, Rudy Setiawan wrote:

> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of
> 216.15.4.6
>> From my workstation I tried to access 216.15.4.4 port 25 or ping
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the
> 216.15.4.4 IP.
> I am able to access port 25 and ping the IP from anywhere in the
> world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20081212/e7e6d8d3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 18654 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20081212/e7e6d8d3/attachment.tiff>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 32, Issue 9
***********************************************

No comments:

Post a Comment