And don't forget that if you have 3.0B patch level 3064 or above, ports 18181, 18182, 18183, and 18184 are also open for OPSEC. This is *on* by default. However, unlike the other ports, you must allow access to these ports in your rulebase. The ports can be turned off by editing your $fw-1_src_dir/conf/fwopsec.conf file. --Keith Young / Avenger -youngkat_private >And what about the default of the ports 256, 257, 258 and 259 appearing on >every interface? A little concerning, since they are not listed in the >table of ports in the main manual. Even more concerning when I'm told >they are for secure remote support, logging and configuration control! >This obscurity makes one rather nervous. > >Cheers, Gary > >On Tue, 27 Oct 1998, David S. Goldberg wrote: > >>> So the closest thing to a warning, comes not in the manuals that >>> come with the software - but you have to pay to go on a course for >>> this info. I may be wrong about this - if you know of any other >>> place where this is documented please let me know. >> >>The "Managing Firewall-1 Using the Windows GUI" book that comes with >>the firewall (both in hardcopy and pdf on the CD) covers this in >>Chapter 8. In Chapter 9 (page 170 in my copy) they list in order the >>bits a packet is matched against. >> >>Unfortunately, this documentation is insufficient. They don't give >>any advice as to the implications of doing DNS and ICMP before the >>rule base. In spite of what they might consider a complete >>description of how it work, it's easy to miss the security implication >>of their default settings, especially when they declare some things >>essential, making it seem to the administrator that she'd better leave >>the services wide open rather than handle them explicitly in the >>rules. >> >>-- >>Dave Goldberg >>Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730 >>Phone: 781-271-3887 >>Email: dsgat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:28 PDT