-Defines ports for rsh connections: (default = 514)
"fixup protocol rsh 1234"
-Dynamically opens port for rsh standard error connections
"no fixup protocol rsh"
-Outbound rsh will not work
-Inbound rsh will work if conduit (or access-list) exists
In response to: ddhmhernandez - Service Engineer, GETRONICS
>Nov 15, 2001, 2:13pm Pacific (1.1)
>I read that can not change the default port for RSH (534). If it is possible, what version software can do it?
You SHOULD NOT change the port values for RSH and SIP (Session Initiation Protocol), but you CAN change it. I am using v.6.1.1 on the PIX-520 and below is an actual configuration (see the last line)
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol rsh 9999
There are two channels between Client and Server:
- Client-initiated command connection (TCP)
- Server-initiated standard error connection (TCP)
PIX will handle:
1. Inbound connections
- If outbound traffic is allowed, no special handling is required
- If outbound traffic is not allowed, open the outbound port for standard error output
2. Outbound connections
- Open inbound port for standard error output
Thanks for the answer, but I am having some problems trying to understand your answer.
In another words, if the command: "fixup protocol rsh" is in the PIX configuration this means:
- The port is open for access from the internet?
- Do I need a conduit command, in order that someone from internet access the network/intranet?
Do you have some documentation where I can read about "fixup protocol RSH" in the PIX ?
If the port is open for access from the Internet has nothing to do with fixup commands. You need a access-list entry or conduit statement to allow RSH in.
What 'fixup protocol rsh' does is looking into the packets to determine which ports should be allowed through the firewall on a temporarily basis.
A client (on the Internal network) opens a RSH session on port 514 with an external server. The client informs the server on which port it will listen for error messages (say port 2110). The PIX firewall picks up this information (via the fixup feature) and allow the server to send rsh error messages to the client by opening inbound traffic to port 2110 for the duration of the session.
I agree on the oint that , fixup protocol command tells the PIX to listen on that specified port for that specified protocol.if the port no. specified for ex. for FTP os changed from the default value of 21 , then the control functions dont work on the port 21 anymore .
But theres a mistake on the configuration posted above by Mr. Vitaly , coz the port for fixup protocol in PIX cannot be changed for "rsh" and also "sip" ,this doesnt work at all.so
for rsh it shld always be "fixup protocol rsh 514 " and nothin else.
Please do refer to the below link for further clarifications reagdrin this and any other doubts regardin the "fixup protocol" command, i think this helps, if theres anythin wrong in what i said , please enlighten me on the same friends !!!