Fixups

Fixups are features that inspect application protocols. They are used to enable complex protocols such as FTP that have multiple streams. They are also used to make protocols more secure. For example, the SMTP fixup limits the commands that can be run through the PIX within the SMTP protocol.

To illustrate one of the common fixup applications, I've connected through a PIX firewall to a mail server using telnet. The PIX firewall is not running the SMTP fixup. When I issue the SMTP command EHLO someserver, I get a list of information regarding the capabilities of the mail server:

[GAD@someserver GAD]$telnet mail.myserver.net 25
Trying 10.10.10.10...
Connected to mail.myserver.net.
Escape character is '^]'.
220 mail.myserver.net ESMTP Postfix
EHLO someserver
250-mail.myserver.net
250-PIPELINING
250-SIZE 10240000
250-ETRN
250 8BITMIME

This information is not necessary for the successful transfer of email, and could be useful to a hacker. For example, a hacker could try to pull email off of the server using the ETRN deque command. The SMTP fixup intercepts and disables the ETRN command.

Tip

ETRN is a very useful feature of SMTP that allows ISPs to queue mail for you should your email server become unavailable. If you need to use ETRN, you will have to disable the SMTP fixup on your PIX firewall.

I'll enable the fixup on the firewall now, using the fixup command. I must specify the protocol, and the port on which the protocol listens (in this case, port 25):

PIX(config)#fixup protocol ...

Get Network Warrior now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Network Warrior by Gary A. Donahue

Fixups

Tip

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly