Re: [logs] firewall logging and rulesets

From: Jason Haar (Jason.Haar@private)
Date: Wed Oct 22 2003 - 20:29:10 PDT

  • Next message: Jørgen Hoffmeister: "RE: [logs] firewall logging and rulesets"

    On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote:
    > The other thing we did is to allow the suppression of messages based on the 
    > ID.  So if you don't like the "Built Dynamic Translation" message you can 
    > make it so your PIX never emits that message again.  And when I say never I 
    > mean until you take that line out of the configuration.  But it does 
    I don't want to turn this into a PIX-thread - but I will :-)
    This feature isn't as great as it seems. To be honest, the PIX still has a
    ways to go before its ACL support is as good as IOS. Why? Because under IOS
    you can tell an *individual* ACL whether it's going to log or not. Under the
    PIX, all you can do is log, or block logging on a "message number" - you
    can't get any finer grained.
    e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows
    is TERRIBLE at promiscuously throwing packets about. There is so much that
    it is causing nothing but grief on our security loggers - so I want to
    disable them. They come under rule %PIX-4-106023 - but if I disable that, I
    also lose logging of internal hosts connecting to anything else -
    such as port 135 - which implies BLASTER. 
    I don't want to miss seeing that, so I can't block %PIX-4-106023... :-(
    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 20:32:50 PDT