[c-nsp] PIX error using fixup smtp
Gert Doering
gert at greenie.muc.de
Sat Nov 13 07:18:13 EST 2004
Hi,
On Fri, Nov 12, 2004 at 05:47:08PM -0600, Brian Feeny wrote:
> Thats like putting an ACL on your Serial interface that says "permit
> tcp only" and then complaining that it breaks udp.
Well. Point taken.
> When you put "fixup protocol smtp" on the PIX, your putting a filter on
> that port, a filter that is only going to allow SMTP commands. Since
> ESMTP is not SMTP, they will not be allowed. Some people think that
> its job is just to inspect SMTP commands, but in reality its a filter
> and will only allow SMTP.
Well. That's a design decision, of course.
But I still find it questionable - while it may be documented that it's
"restricting things on port 25 to plain SMTP", I still want to ask
"is that a useful thing to do, 9 years after the standardization of
ESMTP"?
Overly eager firewalls *hurt* - I field "fixup smtp" in the same bin
as "deny icmp any any". It might cause a warm and fuzzy feeling, but
takes away useful functionality.
(Note that I'm not trying to attack anybody, just trying to explain my
feelings about this)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list