RE: newbie question, PIX rule order

Settle, Sean Fri, 06 Jul 2001 12:30:24 -0700
The answer would be yes, order matters on a PIX (examples use access-list
configuration, but the same is true of conduits/outbound rulesets as well).

For traffic moving from a low level to high level interface (inbound), the
default is deny unless you have a rule to allow for specific traffic.  If
you want to block a specific IP or subnet from accessing a public server you
would need to put in an explicit deny BEFORE your any rule (like below,
watch for line wrapping).

! keep those 192.168 meanies away!
access-list outside_rules deny tcp 192.168.0.0 255.255.0.0 host 12.34.56.111
eq www
! let everyone else use our web server
access-list outside_rules permit tcp any host 12.34.56.111 eq www

For traffic moving from a high level interface to a low level interface
(outbound), the default is to permit unless you have a rule to deny for that
specific traffic.  If you want to block a specific type of access you must
block it explicitly if there is an any rule that might take precidence, but
in order to control outbound traffic you must have a 'deny ip any any' rule
at the END of your ruleset (like below).

! prevent access to www.msn.com
access-list inside_rules deny tcp host 12.34.56.111 207.46.209.243
255.255.0.0 eq  80
! allow access to the rest of the web
access-list inside_rules permit tcp host 12.34.56.111 any eq 80
! allow access to ftp
access-list inside_rules permit tcp host 12.34.65.111 any eq ftp
! block all other access
access-list inside_rules deny ip any any

Sean Settle
"The thirst after happiness is never extinguished in the heart of man" -
Jean Jacques Rousseau
X Network Services Q NPC X
Phoenix, AZ
Phone:  480-496-5434
Fax:    480-496-5224
SMTP:   [EMAIL PROTECTED]


-----Original Message-----
From: Jeffrey M. Foster [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 06, 2001 12:33 PM
To: firewall
Subject: newbie question, PIX rule order




hi

easy one, I think.
does the rule order matter on a PIX fw?
if so, suggestions for order? closing rules to clean up with?

thanks

JEff
-- 

Jeff Foster
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
RE: newbie question, PIX rule order

Reply via email to
