As long as you initiate it. There are ActiveX filters and other filters you can enable on the PIX to block most malicious web server traffic. In any type of NAT it will allow inside users full access to the internet unless blocked or unsupported by NAT.
Allen ----- Original Message ----- From: Steve Alston To: Sent: Thursday, November 29, 2001 3:59 PM Subject: Re: PIX conduit & access lists [7:26684] > Thanks again Allen, > Does that mean the responses to my outbound requests are allowed in by > default? For example, my request for a web page is allowed through the > firewall. Would the page in response of that request be allowed through the > firewall? > > Steve > > ""Allen May"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > NAT or internal servers with "real" IP addresses using NAT 0 can access > > anything until you block it. Outbound requests (such as http, ftp, etc) > are > > all enabled by default. Users outside the firewall cannot access internal > > IPs without access-list or conduit statements. > > > > In short, all outbound enabled and all inbound disabled by default. > > > > For your conduit permit icmp any any I would enable echo reply only rather > > than full icmp. Echo reply only allows replies back to the person pinging > > or tracerouting. Full icmp can be exploited in DOS attacks. > > example: > > access-list 10 permit icmp any any echo-reply > > access-group 10 interface outside > > (apply one to interface inside for outbound) > > > > Allen > > > > ----- Original Message ----- > > From: Steve Alston > > To: > > Sent: Wednesday, November 28, 2001 4:08 PM > > Subject: Re: PIX conduit & access lists [7:26684] > > > > > > > Patrick & Allen, > > > Thanks for the responses -- helps loads. I'm still slightly confused. > > > > > > I did a clear conduit expecting to block all incoming traffic. > Following > > > the clear conduit, I did a show conduit to verify there were not > any > > > conduits in operation. At that time, I was still able to receive web > > > traffic at my workstation. For that matter, the conduit statements only > > > applied to specific servers so why am I able to receive http at my > > > workstation? I did try to PING an IP address which failed when I > removed > > > the conduits and worked when I restored "conduit permit icmp any > any" -- > > > that behaved as expected. > > > > > > > > > Thanks, > > > Steve > > > > > > ""Allen May"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Very true and a good point, but the original question was about > conduits > > > > which only apply to lower->higher. Higher->lower requires NAT. I > > > > accidentally typed access-list below but meant conduit. ;) *slap self > & > > > get > > > > more coffee*. It still applies but wasn't what I meant to say. > > > > > > > > Thanks for pointing that out though. > > > > > > > > > > > > ----- Original Message ----- > > > > From: Patrick W. Bass > > > > To: > > > > Sent: Sunday, November 25, 2001 10:14 PM > > > > Subject: Re: PIX conduit & access lists [7:26684] > > > > > > > > > > > > > ""Allen May"" wrote in message > > > > > news:[EMAIL PROTECTED]... > > > > > > I'm not sure if this was answered or not, but a firewall always > > > assumes > > > > a > > > > > > deny all at the end of the access-list for inbound. Outbound is > > > > different > > > > > > since it allows all by default. > > > > > > > > > > > > > > > > Remeber this: Higher security level to lower security level, > > implicitly > > > > > allowed. Lower security level to higher security level, implicitly > > > > denied. > > > > > Otherwise it gets tricky once you start messing with multipile DMZs. > > > > > > > > > > > Also, access-lists are the way to go since conduits will be phased > > out > > > > in > > > > > > the near future. > > > > > > > > > > > > Allen > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: Steve Alston > > > > > > To: > > > > > > Sent: Monday, November 19, 2001 9:25 AM > > > > > > Subject: Re: PIX conduit & access lists [7:26684] > > > > > > > > > > > > > > > > > > > Carroll, > > > > > > > Thanks for the reply. I'm using conduits now, but will switch > > to > > > > > access > > > > > > > lists in the future. (I'd like to fully understand the > > > configuration > > > > I > > > > > > > inherited before I start making changes) Are implicit denys > > > inserted > > > > > > behind > > > > > > > each conduit as well? > > > > > > > > > > > > > > > > > > > > > ""Carroll Kong"" wrote in message > > > > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > > > Implicit denys behind every access-list are inserted. Are you > > > > > > > > mixing conduits and access-lists? You really should not. Use > > ALL > > > > > > > conduits > > > > > > > > or ALL access-lists. If both are used, conduits take priority > > and > > > > > > > override > > > > > > > > your access-lists. Access-lists are first match, conduits are > > any > > > > > > match. > > > > > > > > > > > > > > > > At 09:24 AM 11/19/01 -0500, Steve Alston wrote: > > > > > > > > >Does the PIX 506 require an explicit deny statement after > > setting > > > > up > > > > > a > > > > > > > > >permit conduit or access list. > > > > > > > > > > > > > > > > > >I appear to be receiving more traffic (e.g. NTP) than my > > conduit > > > > > > > statements > > > > > > > > >allow. > > > > > > > > > > > > > > > > > >Thanks much, > > > > > > > > >Steve > > > > > > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27916&t=26684 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
