Firewall Wizards (firewall-wizards) Mailing List

Re: ECHO Protocol

Wed, 02 Jul 2008 10:08:49 -0400

Posted by Tim Donahue on Jul 02

Quoting peng liu <cleverpigboy_at_gmail.com>:

> OK. This is the tricky part since ICMP is built basd on IP protocol and it
> works on thesame layer as TCP/UDP. Then why my local services file contains:
>
> echo 7/tcp
> echo 7/udp

This...

Scheduling PIX commands

Thu, 03 Jul 2008 15:22:49 +0100

Posted by Ian Rarity on Jul 03

Hi all,

We've just made some changes to our PIX config, and we need to clear
the xlates to make the changes fully live. The only problem with this
is that we also have another system that will react badly (to put it
mildly) to the state of all its connections disappearing when we do
this....

FW: ECHO Protocol

Thu, 3 Jul 2008 11:13:13 -0500

Posted by David Hurst on Jul 3

The "echo" service referred to in the local services file is an old Unix
service typically implemented directly in inetd. It listens on port 7 and
echos back any data sent to it. Typically, the echo service should be
turned off because it performs no useful service and is a...

Re: ECHO Protocol

Wed, 2 Jul 2008 10:53:44 +0530

Posted by Secure Scorp on Jul 2

I agree with Paul, no real substitute for actual verification ! however this
would be ICMP Code 0 Type 8 packet.

Thanks,
Aditya Govind Mukadam

On Mon, Jun 30, 2008 at 6:31 PM, Paul D. Robertson <paul_at_compuwar.net>
wrote:

> On Thu, 26 Jun 2008, peng liu wrote:
>
>...

Re: ECHO Protocol

Mon, 30 Jun 2008 16:21:50 +0300

Posted by Haim Howard Roman on Jun 30

In ICMP terminology, "echo" is what we normally call "ping". So "uses
ECHO protocol" might just be another way of saying that it uses ICMP.
See
...

Re: need opinion of security experts on network design

Mon, 30 Jun 2008 15:38:41 +0200

Posted by Patrick M. Hausen on Jun 30

Hello,

Sorry for answering myself, but this needs to be corrected:

On Wed, Jun 25, 2008 at 06:49:17PM +0200, Patrick M. Hausen wrote:
> If you can guarantee that each floor will stay a separate collision
> domain, then I would use separate LANs, i.e. Layer 2 switches for
> the...

Re: Firewall Sizing?

Mon, 30 Jun 2008 15:49:53 +0200

Posted by Patrick M. Hausen on Jun 30

Hello,

On Thu, Jun 26, 2008 at 06:58:48PM +0100, Paul Hutchings wrote:

> In our case I suspect we're a bit of an oddity, as we have a fat internet
> pipe and a few hundred users, but not all have full internet access and
> there's very little in the way of concurrent access (I...

Re: Firewall Sizing?

Mon, 30 Jun 2008 12:02:56 -0500

Posted by Marcin Antkiewicz on Jun 30

On Thu, Jun 26, 2008 at 12:58 PM, Paul Hutchings <PAUL_at_spamcop.net> wrote:

> How do you go about sizing a firewall?
>

Depends on what work the firewall will do - VPN and protocol inspection will
take CPU, packet filtering not so much.

Here is ASA 5505, some of the traffic...

Re: ECHO Protocol

Tue, 1 Jul 2008 11:12:09 +0800

Posted by peng liu on Jul 1

OK. This is the tricky part since ICMP is built basd on IP protocol and it
works on thesame layer as TCP/UDP. Then why my local services file contains:

echo 7/tcp
echo 7/udp

So the echo here is different than the Echo, Echo-reply protocol we are
talking here?

...

Re: ECHO Protocol

Mon, 30 Jun 2008 09:01:17 -0400 (EDT)

Posted by Paul D. Robertson on Jun 30

On Thu, 26 Jun 2008, peng liu wrote:

> So my question is which protocol is actually used by PING command in
> Windows?

There is no real substitute for actual verification:

http://www.wireshark.org/

Paul
-----------------------------------------------------------------------------
...

Firewall Sizing?

Thu, 26 Jun 2008 18:58:48 +0100

Posted by Paul Hutchings on Jun 26

How do you go about sizing a firewall?

I ask both generally and specifically. Right now I need to replace
an existing ISA server, and top of the list is a Secure Computing
Sidewinder (those Palo Alto boxes look nice but they're just too much
$$$ to go beyond looking at the features on...

Re: easy way to scan for issues with path mtu discovery?

Wed, 25 Jun 2008 13:46:22 -0400

Posted by kevin horvath on Jun 25

Patrick,

If you think you are having this type of issue you can try to run a
tcptraceroute on a port that is allowed to the destination (such as 80
for a web server). This is will obviously give you the hops along
path to your destination. Then you can try using the following
command to...

Re: need opinion of security experts on network design

Wed, 25 Jun 2008 18:49:17 +0200

Posted by Patrick M. Hausen on Jun 25

Hello,

> 1-each floor is a separate VLAN

If you can guarantee that each floor will stay a separate collision
domain, then I would use separate LANs, i.e. Layer 2 switches for
the floors.

> 2-all switches in the floors are layer 3 switches (no layer 2 switches at all)

Why? Nothing in...

Re: easy way to scan for issues with path mtu discovery?

Wed, 25 Jun 2008 18:39:24 +0200

Posted by Patrick M. Hausen on Jun 25

Hello,

> Does anyone know of an easy way to scan for issues with path mtu
> discovery along a hop path? E.g. if you think someone is black-holing
> along a route, or even on the endpoint host, could you use some obscure
> nmap flag to find out for sure, and also to identify the...

Re: easy way to scan for issues with path mtu discovery?

Wed, 25 Jun 2008 16:37:10 -0500

Posted by Marcin Antkiewicz on Jun 25

> Does anyone know of an easy way to scan for issues with path mtu discovery
> along a hop path? E.g. if you think someone is black-holing along a route,
> or even on the endpoint host, could you use some obscure nmap flag to find
> out for sure, and also to identify the offending...