Whats your firewall?

I give up.

 

I can't believe it took you this long.

 

You saying that you have to allow INBOUND, NOT OUTBOUND connections to YOUR MACHINE ... NOT HIS... on port 80 or 21. That's what!

You said:-

_____

'In my real life config:

Remote workstation --> Internet --> My home FW(443 open inbound) -- My webserver

get it now?'

_____

And that's WRONG! You don't need to allow inbound connections on ANY port unless you are running a server on it... NOT A CLIENT... a server!

 

I'm still a bit worried that some people, having read this, will open up ports on their firewalls on 25 or 110, for example, if they can't get their email working properly and think it might be something to do with their firewall not being set up properly.

Actually there ARE some, (very specific), conditions when it MAY be necessary to open a port but generally, as you know, people do not need to open up holes in their firewall to use a computer to access the internet. The answer is always to block all incoming traffic from the internet and only in very extreme circumstances open a port up and only THEN when you've checked absolutely everything else out AND asked someone more knowledgeable than yourself as to what it might and if he firewall might be causing a problem then, and only then, try,( for a brief period, i.e. minutes if possible), opening up the relevant hole in your firewall and see if it makes a difference.

As you know, most problems with firewalls are nothing to do with the system itself and usually revolve around things like DNS resolution and suchlike.

 

Feel like this yet?

 

http://cgi.ebay.com/Cisco-PIX-501-F...799180009QQcategoryZ64019QQrdZ1QQcmdZViewItem

Code:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password zNZB4a3pGhn.Bh.T encrypted
passwd zNZB4a3pGhn.Bh.T encrypted
hostname myPIX
domain-name mydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_acl permit icmp any any echo-reply
access-list outside_acl permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 172.31.8.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.200.1-192.168.200.100
pdm logging notifications 100
no pdm history enable
arp timeout 14400
global (outside) 1 172.31.8.100-172.31.8.199 netmask 255.255.255.0
global (outside) 1 172.31.8.200 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 172.31.8.21 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 172.31.8.22 192.168.1.5 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 172.31.8.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.5 timeout 5 protocol TCP version 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
sysopt noproxyarp inside
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set strong
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpnpool outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup MDLVpnGroup address-pool vpnpool
vpngroup MDLVpnGroup split-tunnel 90
vpngroup MDLVpnGroup idle-time 1800
vpngroup MDLVpnGroup max-time 86400
vpngroup MDLVpnGroup password ********
vpngroup GLvpn address-pool vpnpool
vpngroup GLvpn idle-time 1800
vpngroup GLvpn password ********
vpngroup vpnusers address-pool vpnpool
vpngroup vpnusers idle-time 1800
vpngroup vpnusers password ********
telnet timeout 5
ssh 172.31.3.56 255.255.255.240 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local vpnpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username user1 password *********
vpdn enable outside
terminal width 80
Cryptochecksum:a6155dab0cedfe2d61d3244e21aec6fc
: end
MyPIX#

Done.

 

Well this has been the best thread in the history of the "Technology, Engines & More" forum.

 

Well if only you'd have explained it as simply as that in the first place we could have saved ouselves a great deal of trouble

 

I install Check Point FireWall-1 for my clients. Those Israeli's know their stuff when it comes to security. They bought Zone Alarm recently btw, so I guess thats as good a solution as any to run on a Wintel box.

If you're thinking of a Linux firewall check out SmoothWall, it'll run on any computer made in the last 10 years.

 

Yup, just reading some of it now. This is the reason why I love forums

 

Of course, if you can run a small linux box solely as a firewall you're much safer to run application firewalls.

I used to run a box which was only a 300Mhz Cyrix with 64Mb ram which ran squid for http, https and ftp tunneled through http, the SuSE ftp-proxy suite called, intriguingly, ftp-proxy and postfix for email including anti-virus and anti-spam. There's various other things like dante but, hey... users don't NEED those facilities, do they

Anyway, good stuff and worth a look if you've got a spare machine and a few hours.

 

It's pretty good. It works as a kind of filter to postfix, sendmail, qmail or even plain old procmail. Have a look at http://spamassassin.apache.org/ for details.

 

I posted some initial info on the D-Link wireless "gaming" router/firewall I just purchased in my blog.

 

I'm installing a Watchguard Firebox X500 for a client and I would HIGHLY recommend against anyone buying one for their SMB.

 

Not likely to be happening any time soon but, as a matter of interest, what's the problem with it. Difficult to configure? Unreliable?

 

So first you have to take the server you want to control the FW and take it off-line so you can connect a cross-over and serial cable to the FW to run the inital conifg. And it steers you to a really basic config, so it's unlikely that you're going to be able to rollout your FW fully conifged, which blows.

I have configured at least 200 firewalls, and I will have to say that this is one of the more un-ntuitive interfaces ever. Plus it does that thing, like the checkpoint paradigm, where you save the config locally and then bounce it up to the FW which doesn't work right. Conifg changes sometimes take, sometimes they don't. Big friggin prblem.

The HTTP filtering is so restricitve I know the client is going to end up turning it off. It basically filters EVERYTHING. They couldn't get to business partner sites, which didn't have anything remotely objectionable on the sites. Not a very granular classification system for site filtering, either- No 'shopping', for example.

At the very least, don't even think about using the webfiltering.

Still don't have irc working right, of all things. Have staticly NATed SMTP and HTTP servers working fine . . .

I'm not usually stumped by a firewall.

 

Yeah, see what you mean. Sounds fun... Not.

I've maybe done a few hundred firewalls as well over the years but I've always installed software ones using a combination of packet filtering usually plus application level ones using two machines. It's amazing how little people are prepared to pay for 'knowledge'... but they're MORE than prepared to spend money on something in a shiny box. Bloody amazing. And try and get them to pay for the monitoring of logs. That's a joke as well.

Ho-hum.

Actually I'm in the process of becoming semi-retired at the moment. Seems to be becoming more and more of a young persons profession. In the old days you could just say to the customer, "This is what you're gonna get". Now, they've read in a magazine that this shiny new box does everything AND makes the tea as well. It becomes extremely difficult to convince them that it sort of does... but sort of doesn't as well.

Also, that they THEY have a responsibility to keep their applications patched and do the other stuff like not writing their passwords onto a little sticker which they then stick onto the damned screen.

Actually, don't get me started.

Ah, you already did

 

Computer responsibility is a whole other issue best suited for another thread. Unfortunately computer vendors are trying to sell them like appliances. The last time I checked toasters can't get turned into spam spewing zombies or drones used in DOS attacks. Computers on the other hand...

 

Speaking of computers and appliances in a firewall thread, has anybody checked out the firewall in the ActiveArmor Secure Networking Engine availabile in the NVIDIA nForce4 SLI and nForce4 Ultra chipsets?