On 1/1/06, Compuoso <compuoso@gmail.com> wrote:
Would someone please tell me the overall meaning and implications of the
following PIX command lines? I discovered them in our PIX 515e configuration
earlier this morning. I suspect that our corporate network has been hacked.
Thanks for your collective insight.
Do you have any access-group statements reflecting "test" or "test1"? That
is the key - you can have any number of access lists in a config, but what
matters is if they are used on an interface. It is possible to see weird
ACLs in a config as they might have been used in the capture command to
filter traffic captured.
nameif ethernet2 intf2 security4
access-list test permit udp host 172.17.7.10 any eq domain
access-list test permit udp any eq domain host 172.17.7.10
This ACL allows the host 172.17.7.10 to access any UDP port 53. It also
allows any machine to send a UDP package with a source port of 53 to the
same host.
access-list test1 permit udp host 63.176.109.161 any eq domain
access-list test1 permit udp any eq domain host 63.176.109.161
access-list test1 permit udp any any eq domain
access-list test1 permit udp any eq domain any
This ACL allows the host 63.176.109.161 to access any UDP port 53. It also
allows any machine to send a UDP package with a source port of 53 to the
same host.
The 3rd line of the config for this ACL is a superset of line one - any
outside host can talk to any host protected by this ACL to udp port 53.
The 4th line of the config for this ACL is a superset of line two - any
outside host, using a source port of udp 50 can talk to any host protected
by this ACL.
mtu intf2 1500
this is the default ethernet mtu.
no ip address intf2
This might be a feeble attempt to shutdown this interface. The correct way
is interface ..... shutdown. I am not sure how a PIX interface will behave
if it has no ip address assigned to it, but is enabled. I tend to think it
would not forward or allow any traffic in.
Matt
