Re: Fixup protocols

moorera · ‎08-23-2004

Howdy all,

My colleague and I are in debate over what to do with the fixup protocols in the PIX config. My take on the matter is if we are not using those protocols listed then we should shut it down as they pose a security risk, albiet possibly small. My Colleqgue's take is if you shutdown those fixup protocols you introduce a security hole. Neither of us are experts on the pix. Can anybody set us straight on this? Thanks.

Randy Moore

gfullage · ‎08-23-2004

If you don't have ny of a specific protocol going thru the PIX, then I can't see how enabling or disabling the fixup for that protocol is a security risk. Basically what most of the fixups do is provide some sort of upper-layer inspection of each protocol, usually so things like IP addresses stored in the data portion of the packet are NAT'd properly. Again though, if you don't have any of those protocols running then the fixup won't be doing anything.

In my opinion, I'd just leave them on since in the future you may have those protocols running and you'll need the fixup.

moorera · ‎08-24-2004

Thanks for the info.

shaun.oliver · ‎08-24-2004

Agreed, leave them on.

If you're using ESMTP, the fixup smtp can cause problems so might need to be turned off.

moorera · ‎08-25-2004

Thanks Shaun,

We had to do that a while back for the store and forward provider... However at the time I didn't know why, I'll have to look up ESMTP. Thanks

Cheers.