topic Re: fixup, on the PIX in Network Security

fixup, on the PIX

cmontes — Fri, 21 Feb 2020 05:54:26 GMT

What exactly does the command "fixup protocol rsh"?

Re: fixup, on the PIX

vitaliy.pindyura — Thu, 15 Nov 2001 21:23:28 GMT

-Defines ports for rsh connections: (default = 514)

"fixup protocol rsh 1234"

-Dynamically opens port for rsh standard error connections

If disabled:

"no fixup protocol rsh"

-Outbound rsh will not work

-Inbound rsh will work if conduit (or access-list) exists

Re: fixup, on the PIX

ddhmhernandez — Thu, 15 Nov 2001 22:13:01 GMT

I read that can not change the default port for RSH (534). If it is possible, what version software can do it?

Re: fixup, on the PIX

ddhmhernandez — Thu, 15 Nov 2001 23:00:51 GMT

What exactly means "dynamically", all the outbound traffic is allowed and the inbound traffic is blocked or what does it means?

Re: fixup, on the PIX

ddhmhernandez — Thu, 15 Nov 2001 23:01:50 GMT

What exactly means "dynamically", all the outbound traffic is allowed and the inbound traffic is blocked or what does it means?

Re: fixup, on the PIX

vitaliy.pindyura — Thu, 15 Nov 2001 23:17:48 GMT

In response to: ddhmhernandez - Service Engineer, GETRONICS

>Nov 15, 2001, 2:13pm Pacific (1.1)

>I read that can not change the default port for RSH (534). If it is possible, what version software can do it?

You SHOULD NOT change the port values for RSH and SIP (Session Initiation Protocol), but you CAN change it. I am using v.6.1.1 on the PIX-520 and below is an actual configuration (see the last line)

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol rsh 9999

...

Re: fixup, on the PIX

vitaliy.pindyura — Thu, 15 Nov 2001 23:56:10 GMT

There are two channels between Client and Server:

- Client-initiated command connection (TCP)

- Server-initiated standard error connection (TCP)

PIX will handle:

1. Inbound connections

- If outbound traffic is allowed, no special handling is required

- If outbound traffic is not allowed, open the outbound port for standard error output

2. Outbound connections

- Open inbound port for standard error output

Re: fixup, on the PIX

ddhmhernandez — Fri, 16 Nov 2001 00:26:00 GMT

Thanks for the answer, but I am having some problems trying to understand your answer.

In another words, if the command: "fixup protocol rsh" is in the PIX configuration this means:

- The port is open for access from the internet?

- Do I need a conduit command, in order that someone from internet access the network/intranet?

Do you have some documentation where I can read about "fixup protocol RSH" in the PIX ?

Re: fixup, on the PIX

rrbleeker — Thu, 22 Nov 2001 23:34:12 GMT

If the port is open for access from the Internet has nothing to do with fixup commands. You need a access-list entry or conduit statement to allow RSH in.

What 'fixup protocol rsh' does is looking into the packets to determine which ports should be allowed through the firewall on a temporarily basis.

Example:

A client (on the Internal network) opens a RSH session on port 514 with an external server. The client informs the server on which port it will listen for error messages (say port 2110). The PIX firewall picks up this information (via the fixup feature) and allow the server to send rsh error messages to the client by opening inbound traffic to port 2110 for the duration of the session.

Re: fixup, on the PIX

vipin.radhakrishnan — Fri, 23 Nov 2001 07:34:29 GMT

Hi All,

I agree on the oint that , fixup protocol command tells the PIX to listen on that specified port for that specified protocol.if the port no. specified for ex. for FTP os changed from the default value of 21 , then the control functions dont work on the port 21 anymore .

But theres a mistake on the configuration posted above by Mr. Vitaly , coz the port for fixup protocol in PIX cannot be changed for "rsh" and also "sip" ,this doesnt work at all.so

for rsh it shld always be "fixup protocol rsh 514 " and nothin else.

Please do refer to the below link for further clarifications reagdrin this and any other doubts regardin the "fixup protocol" command, i think this helps, if theres anythin wrong in what i said , please enlighten me on the same friends !!!

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/df.htm#xtocid1116813