Pix 515 and opening ports

[spidermanfan]

Hello all,
i have a pix 515 and I need to open some ports to a IP address so a remote unix admin can get to the box.
He asks specifically for ports 22 (ssh) and ports 873 (rsync) to be opened.
currently I have a port opened for SMTP for the IP address.
conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any

How do I open the other 2 ports?

Any help would be greatly appreciated.

Thanks

 

[gbiello]

conduit permit tcp host xxx.xxx.xxx.xxx eq 22 any
conduit permit tcp host xxx.xxx.xxx.xxx eq 873 any

-gbiello

 

[spidermanfan]

Thanks,
Would I need to do a:
conduit permit udp host xxx.xxx.xxx.xxx eq 22 any
conduit permit udp host xxx.xxx.xxx.xxx eq 873 any
for any of the udp ports?

Thanks

 

[gbiello]

You shouldn't need to.

 

[havanajoe]

One thing that I would do especially if you know what ip or at least what subnet the remote admin is coming from I would set your conduit up to allow only that IP or that subnet in on those ports. The way that is mentioned above anyone can get in through those ports. Instead of the last any change (if possible) to host x.x.x.x or for the subnet any x.x.x.x

 

[uribe]

I have a similar request to open a port for SSL (443)
would it be necessary to also add:
fixup protocol ssl 443
to the PIX?

 

[gbiello]

No. Fixups are special protocol handling routines put in by the PIX. The number of fixups depends on the version of software you're running.

You can have them monitor different ports, or remove them if need be.

You don't need to touch them.

-gbiello

 

[baddos]

The PIX can't use the FIXUP protocol on port 443. Port 443 is used for SSL and is encrypted. The PIX can't decrypt that data.

-Bad Dos