This is weird

Matt Kettler mkettler at evi-inc.com
Fri Jan 27 23:54:24 GMT 2006


Kevin Miller wrote:
> This morning I started directing our firewall logging to a syslog
> server.  I noticed a *whole lot* of these:
> Jan 27 10:18:34 199.58.55.6 %PIX-4-106023: Deny icmp src inside:mxg dst
> outside:66.250.40.33 (type 3, code 3) by access-group "acl_inside"


You deny ICMP port unreachable messages??? Ouch. That will hurt network
performance under error conditions. Perhaps you should rethink what ICMP codes
you're filtering on your PIX ACLs.


More information about the MailScanner mailing list