Indeed! The dest-ip option would only be used in certain circumstances, and generally to protect the whole (firewall) at the sacrifice of a few (a single rule). If you are referring to ScreenOS 4.0 I'd wait until 4.0.0r4 comes out. It will fix another vulnerability as well as a few bugs. It should be out any day now. Stability? It probably depends on your platform... I'm fairly comfortable with it, and if there's a problem you can always report it and usually bug fixes are pretty quick. Cheers, -- steve -----Original Message----- From: Philip J. Koenig [mailto:pjklistat_private] Sent: Wednesday, October 16, 2002 8:05 PM To: Firewall-wizardsat_private Cc: Stephen Gill Subject: RE: CERT vulnerability note VU# 539363 On 16 Oct 2002 at 17:00, Stephen Gill boldly uttered: > In V4.0 the syntax has changed somewhat for the aforementioned command, > though the concept still applies... > > set zone <zone> screen limit-session source-ip-based <threshold> > > I've requested something like > > set zone <zone> screen limit-session dest-ip-based <threshold> > > but I've not seen it in code yet. If I'm not mistaken I believe CP has > added the ability to do both recently. > > -- steve OK, but the nice thing about the source-based rule is it's not very likely to drop legitimate traffic (unless you misconfigure it without any sense of your normal traffic profile), whereas a destination- based rule could easily cause that problem, particularly for public servers. On a slightly off-topic note - do you find ScreenOS stable? I avoided it for stability reasons at a newly-deployed site but it would have been convenient to start off with it because when the time comes to upgrade it looks like I'll have to re-architect lots of the rules to adapt to its new syntax. -- Philip J. Koenig pjklistat_private Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:12:19 PDT