Hi,
On Thu, 15 Jun 2000, Warwick Vele wrote:
> I am testing outbound access-lists to apply to our PIX and have run into
> a small problem.
>
> The test list is as follows:
>
> outbound 10 deny 0.0.0.0 0.0.0.0 0 0
> outbound 10 except 0.0.0.0 0.0.0.0 7 tcp
> outbound 10 except 0.0.0.0 0.0.0.0 7 udp
> outbound 10 except 0.0.0.0 0.0.0.0 20 tcp
> outbound 10 except 0.0.0.0 0.0.0.0 21 tcp
> outbound 10 except 0.0.0.0 0.0.0.0 23 tcp
> outbound 10 except 0.0.0.0 0.0.0.0 25 tcp
> outbound 10 except 0.0.0.0 0.0.0.0 25 udp
> outbound 10 except 0.0.0.0 0.0.0.0 53 udp
> outbound 10 except 0.0.0.0 0.0.0.0 80 tcp
>
> applied with:
>
> apply (inside) 10 outgoing_src
>
> I also have a conduit allowing icmp:
>
> conduit permit icmp any any
>
> The intent is to deny all outbound traffic _except_ those ports stated
> above, with a destination of "anywhere". When I apply the list it blocks
> PING attempts from the inside to the outside. When I remove the apply
> statement it works fine. Is there something that I am leaving out with
> my except statements? We are using version 4.3(2).
for what reason are you allowing tcp/echo and udp/echo out of your internal
network ????
Ping does not use tcp or udp. You will want to remove 7/tcp and 7/udp
from your access-list and allow icmp.
icmp is not tcp
Greetings
Christian
--
TopLink Internet Services GmbH [EMAIL PROTECTED]
Christian Kratzer http://www.toplink.net/
Phone: +49 7032 2701-0
Fax: +49 7032 2701-19 FreeBSD spoken here!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
