05-13-2003 10:51 PM - edited 02-20-2020 10:44 PM
Hi,
We have PIX 520 firewall with 3 NICs. We recieve advertisements on computers in the inside and DMZ network. It uses windows mesenger services and is sent to our network address. It will appear computers randomly. How can we block this?
Please note that we use the following NAT commands to NAT complete network on inside and DMZ.
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (dmz) 1 192.168.11.0 255.255.255.0 0 0
05-19-2003 11:22 AM
You can use the filter command option in pix to stop java applets. For all options of filter comamnd, please use the URL given below
05-19-2003 12:07 PM
Could you post your whole config minus the password lines? I don't think this problem has anything to do with java blocking
05-19-2003 09:36 PM
H, Thanks for the reply.
Please find below the whole config of our PIX firewall;
===========================================
PIX Version 4.2(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
no fixup protocol smtp 25
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pager lines 24
no logging console
no logging monitor
no logging buffered
logging trap warnings
logging facility 20
logging host inside 192.168.2.49
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside 196.200.200.196 255.255.255.192
ip address inside 192.168.2.1 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
arp timeout 14400
global (outside) 1 196.200.200.225
global (outside) 1 196.200.200.226-196.200.200.246
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (dmz) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 196.200.200.248 192.168.2.32 netmask 255.255.255.255 0 0
static (inside,outside) 196.200.200.250 192.168.2.36 netmask 255.255.255.255 0 0
static (inside,outside) 196.200.200.251 192.168.2.43 netmask 255.255.255.255 0 0
static (inside,outside) 196.200.200.252 192.168.2.49 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0
static (inside,outside) 196.200.200.247 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) 196.200.200.197 192.168.1.5 netmask 255.255.255.255 0 0
conduit permit tcp host 196.200.200.247 eq smtp any
conduit permit tcp host 196.200.200.247 eq pop3 any
conduit permit tcp any host 192.168.1.5
conduit permit udp any host 192.168.1.5
conduit permit tcp host 196.200.200.197 eq 443 any
conduit permit tcp host 196.200.200.197 eq www any
conduit permit tcp host 196.200.200.247 eq 443 any
conduit permit tcp host 196.200.200.247 eq www any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip dmz passive
no rip dmz default
route outside 0.0.0.0 0.0.0.0 196.200.200.193 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
mtu outside 1500
mtu inside 1500
mtu dmz 1500
floodguard 1
=======================================
05-20-2003 05:01 AM
You are allowing all TCP and UDP traffic into the x.x.1.5 DMZ host. That explains why that host is getting netbios based popups/
Why do you all all that traffic into that host? Is that DMZ host multihomed into the private network?
Are all the popups identical? I cannot see anything that explains how internal machines would be getting them, unless the DMZ host is multihomed into the inside subnet. Are you sure the inside machines with pop ups aren't getting http based popups?
What program are you using to confirm where they are coming from? netstat -a ?
05-20-2003 07:05 AM
Thanks very much for your reply.
You are refering to the following commands, right?
conduit permit tcp any host 192.168.1.5
conduit permit udp any host 192.168.1.5
In fact I am permitting TCP and UDP traffic from 192.168.1.5 to any host, isn't that right? I want to allow TCP and UDP traffic from 192.168.1.5 to the internal network, that's I have used that command. DO you think it is wrong to use that command?
This 192.168.1.5 host is not a multihomed Server. Not only that this server is temporarily down for a month or so. Even then we get the advertisements on PCs(randomly) located in the inside network.
The title bar of the advertisement window displays " Messenger service", I am not sure if it uses http pop ups.
Please reply.
Thanks
Jai
05-20-2003 08:21 AM
Thats right, sorry about that. It has been a while since I have worked with conduits.
It is possible that someone could be spoofing the packets with the source address of 129.168.1.5, and thus getting through the firewall.
When you see these popups, does everyone get them at the same time? Or does each user get them randomly?
05-27-2003 11:07 AM
The SPAM that you are receiving are coming from the Windows Messenger Service (Not to be confused with MSN Messenger), which by default, is turned on on every Windows machine. If you have NT, 2000, or XP you can disable the service. This would require touching every box, though. If you have 95, 98 or ME you cannot turn off Windows Messenging Service.
However, if you wish to block them all together, you need to block inbound UDP traffic on ports 135, 137-139, and 445, all of which can and are used by the Messenger service. While I am not versed enough in PIX firewalling to tell you the commands to block each one, I'm sure that with that knowledge, you or someone else on here can figure it out. Good Luck!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: