> -----Original Message-----
> From: Network Operations [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 20 July 2000 12:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX deny outbound.
>
>
> Negative!
>
> He's not using a router, PIX firewalls do not follow
> (completely) Cisco router IOS convention. You first need to
> issue a deny all, then "except" the allowed ports/protocols back in
There's More Than One Way To Do It.
The "accepted" (Cisco documented) way to do it is _either_:
outbound 101 deny 0 0 0
outbound 101 permit 0 0 23 tcp
outbound 101 permit 0 0 80 tcp
[etc]
apply (inside) outgoing_src
Note that the _more specific_ permit statements override the global deny.
This is counter-intuitive for anyone who has written lots of Cisco IOS ACLs.
Personally I like the "except" syntax for these simple ones (as recommended
by Mr Operations) which is:
outbound 101 deny 0 0 0
outbound 101 except 0 0 23 tcp
outbound 101 except 0 0 80 tcp
[etc]
apply (inside) outgoing_src
Note that the except statement reverses the best matched rule for the packet
in question. If you're mixing permits and denies etc then you may get
strange results with except unless you've put a lot of thought into the
syntax.
Ref: (URL wraps)
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/p
ix44cmd.htm
>
> >>> Fabio Pietrosanti <[EMAIL PROTECTED]> 07/19/00 03:58AM >>>
>
> the explicit deny it's not necessary.
> if you use outbound on a interface the default policy it's DENY :)
Yah, as pointed out - not so. The default is to permit ALL traffic going
from a higher security level to a lower one.
> [snip]
>
> On Wed, 19 Jul 2000 [EMAIL PROTECTED] wrote:
>
> > Hi!
> > I want to deny outbound traffic to all external hosts from
> an internal
> > network except some specific ports.
> > Is this the way to do it? (Using a PIX Firewall)
> >
> > outbound 110 permit 0.0.0.0 0.0.0.0 21 tcp
> > outbound 110 permit 0.0.0.0 0.0.0.0 80 tcp
> > outbound 110 permit 0.0.0.0 0.0.0.0 25 tcp
> > outbound 110 permit 0.0.0.0 0.0.0.0 23 tcp
> > outbound 110 permit 0.0.0.0 0.0.0.0 53 tcp
> > outbound 110 permit 0.0.0.0 0.0.0.0 53 udp
> > outbound 110 deny 0.0.0.0 0.0.0.0 1-65535 tcp
> > outbound 110 deny 0.0.0.0 0.0.0.0 1-65535 udp
> > apply (outside) 110 outgoing_dest
Apart from the bizarre syntax I think that this would work if you didn't
have the wrong apply statement. To deny access to _services_ you should use:
apply (inside) outgoing_src.
To deny access to _hosts_ you use outgoing_dest. Also note that your
approach will permit any other IP protocols that the PIX knows about, only
blocking tcp and udp - e.g. ping will still work for any internal host. If
that's not what you intend then use:
outbound 110 deny 0 0 0
instead of the last two lines.
> >
> > Thanks!
> >
> > //Jesper
> >
Cheers,
(What happened to Lisa? She used to field all the PIX questions...;)
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
