I just came across this information last week. To my knowledge the only
staements "optimized" are the Outbound/apply statements. Access-lists and
Conduit/Static statements are executed in the order entered into the config.
I am still researching this, but I tested it by putting a couple outbound
denies, with a /32 mask, after our "outbound permit 0 0 0 TCP" "outbound
permit 0 0 0 UDP". Sure enough when I performed a "Show Outbound" the
"Permit All" (shown above) statements were listed at the very end and the
items with the most specific subnet mask were listed first. I attempted to
connect to the items and they were denied as expected. This is similar to
OSPF in some ways, since OSPF does not use the first match, but the most
exact (as I understand it) match in the routing table. Here is the info from
www.cisco.com
"The outgoing_src and outgoing_dest outbound lists are filtered
independently. If any one of the filters contain deny, the outbound packet
is denied. When multiple rules are used to filter the same packet, the best
matched rule takes effect. The best match is based on the IP address mask
and the port range check. More strict IP address masks and smaller port
ranges are considered a better match. If there is a tie, a permit overrides
a deny."
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/com
mands.htm#xtocid2254146 (watch fro wrap)
Ken Claussen MCSE CCNA CCA
[EMAIL PROTECTED]
"The Mind is a Terrible thing to Waste!"
-----Original Message-----
From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 07, 2001 4:36 AM
To: Claussen, Ken
Cc: 'Settle, Sean'; 'Jeffrey M. Foster'; 'firewall'
Subject: RE: newbie question, PIX rule order
The pix reorders or 'optimizes' certain types of rulesets then? Tghis is
interesting, and something I'm not used to having 'done for me'.
Question, if I'm reading this posting correctly, how far does the pix go
in 'optimizing' the rules given it? While I can see how this can be
somewhat of an asset, I also see how this could be an issue of clarity
when determing a config in the first place to say the least, depending
perhaps upon how much the pix reorders.
Thanks,
Ron DuFresne
On Sat, 7 Jul 2001, Claussen, Ken wrote:
> Sean Settle wrote
> "The answer would be yes, order matters on a PIX (examples use access-list
> configuration, but the same is true of conduits/outbound rulesets as
well)."
>
> In the case of "Outbound/apply" statements (which Cisco recomends
converting
> to access-list statements to maintain future compatability) the pix orders
> them by most specific match. "Show config" will list your config "as-is".
A
> "Show Outbound" command will produce a list of your outbound statements as
> the Pix orders them. The order is optimized by the Pixes ASA which Brian
> discussed previously. HTH
>
> Ken Claussen MCSE CCNA CCA
> [EMAIL PROTECTED]
> "The Mind is a Terrible thing to Waste!"
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
