Merhaba, su siralar PIX firewall da yaptigim bir konfigurasyon
degisikligi sonucu bana gore olmamasi gereken portlar PIXe dahil IP
blogumun tümünde acik gozukmekte. Asagidaki basit sekilde bir port
scanner�dan alinan cikti bulunmakta:

+ X.X.X.2
|___ 21 File Transfer Protocol [Control]
|___ 80 World Wide Web HTTP
|___ HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..
|___ 389 Lightweight Directory Access Protocol
|___ 1720 h323hostcall
+ X.X.X.3
|___ 21 File Transfer Protocol [Control]
|___ 389 Lightweight Directory Access Protocol
|___ 1720 h323hostcall
+ X.X.X.4
|___ 21 File Transfer Protocol [Control]
|___ 389 Lightweight Directory Access Protocol
|___ 1720 h323hostcall
+ X.X.X.5
|___ 21 File Transfer Protocol [Control]
|___ 389 Lightweight Directory Access Protocol
|___ 1720 h323hostcall
+ X.X.X.6
|___ 21 File Transfer Protocol [Control]
|___ 389 Lightweight Directory Access Protocol
|___ 1720 h323hostcall
+ X.X.X.7
|___ 21 File Transfer Protocol [Control]
|___ 389 Lightweight Directory Access Protocol
|___ 1720 h323hostcall



wall# sh conf
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password WVzs6/AKShXo/RmW encrypted
passwd WVzs6/AKShXo/RmW encrypted
hostname wall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list smtp permit tcp any host X.X.X.2 eq www
access-list smtp permit tcp any host X.X.X.2 eq smtp
access-list smtp permit tcp any host X.X.X.2 eq pop3
access-list smtp permit icmp host X.X.X.2 any
access-list smtp permit icmp host X.X.X.2 any echo
access-list smtp permit icmp host X.X.X.2 any echo-reply
access-list smtp permit icmp host X.X.X.2 any unreachable
access-list smtp permit icmp host X.X.X.2 any time-exceeded
access-list smtp permit icmp any host X.X.X.2 echo-reply
access-list smtp permit icmp any host X.X.X.2 echo
access-list smtp permit icmp any host X.X.X.2 unreachable
pager lines 24
logging on
logging trap notifications
logging history notifications
logging host dmz X.X.X.3 6/1468
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
#
#
#
#....

Web sunucusu �dmz� bacaginda ve yaptigim son degisiklik web sunucumun
yanina bir Syslog server koyup �static� komutu ile onu internete
cikarmam oldu.

Herhangi bir fikri olan var mi?