On the GNAC firewall list [EMAIL PROTECTED] wrote:
[... rearranged ...]
>At 02:43 PM 3/8/99 +1100, User wrote:
>>Packet filtering rules work
>>like most other firewalls: first match wins. With PIX, you can only add new
>>rules to the end of the list.
[... rearranged ...]
>Gad's if only I had the time the morning--- So much of this entryis sheer
>and utter "crud"... I am not sure where you got your info, but, to
>start with PIX acl's are NOT sequential -- unlike the router.. it
>works in a whole different way
You are, shall we say, both partly correct.
The situation:
Interfaces have a "security level". High security level is
supposed to be inside your organization. Communications
initiated from a higher interface tan the destination interface
need "outbounds". Communications initiated from a lower
interface than the destination interface need "conduits". Prior
to 4.2, communication between interfaces of equal security
level was impossible, starting with 4.2, communication between
interfaces of equal security level requires "conduits". If no
access configuration is done, everything outbound is permitted,
and nothin inbound.
The response:
"Conduits" work just like Cisco IOS extended ACLs, with a
somewhat different syntax. They are therefore sequential. You
can specify source and destination IPs/ports, ICMP codes, etc.
"Outbounds" look like Cisco IOS *standard* (non-extended) ACLs,
but they are not sequential, the "best match" is chosen. You
can only specify the destination port, and either source or
destination IP.
So, you are both right.
I would like to know if anyone knows of any disadvantage in
setting all interfaces to the same security level (in 4.2).
I *want* full source/dest filtering. I *want* sequentiality.
Anyway, um, typing access-lists by hand, hee, hee, hee. What an
utter waste of time. What do you do when you have 20 routers,
open everything? Kind of defeats the purpose, right? Um... was
commercial advertising allowed here? www.solsoft.com, anyway.
Yes, I am biased :-)
P.S.
Oh, and lame braindead vacation programs that respect neither
the RFCs nor procedures that have been set in stone since the
early nineteen-eighties will get no sympathy from me (I'm
specifically referring to the Lotus vacation program).
--
#include <std_disclaim.h> Lorens Kockum
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
