Re: PIX conduit access lists [7:26684]
As long as you initiate it. There are ActiveX filters and other filters you
can enable on the PIX to block most malicious web server traffic. In any
type of NAT it will allow inside users full access to the internet unless
blocked or unsupported by NAT.
Allen
- Original Message -
From: Steve Alston
To:
Sent: Thursday, November 29, 2001 3:59 PM
Subject: Re: PIX conduit access lists [7:26684]
Thanks again Allen,
Does that mean the responses to my outbound requests are allowed in by
default? For example, my request for a web page is allowed through the
firewall. Would the page in response of that request be allowed through
the
firewall?
Steve
Allen May wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
NAT or internal servers with real IP addresses using NAT 0 can access
anything until you block it. Outbound requests (such as http, ftp, etc)
are
all enabled by default. Users outside the firewall cannot access
internal
IPs without access-list or conduit statements.
In short, all outbound enabled and all inbound disabled by default.
For your conduit permit icmp any any I would enable echo reply only
rather
than full icmp. Echo reply only allows replies back to the person
pinging
or tracerouting. Full icmp can be exploited in DOS attacks.
example:
access-list 10 permit icmp any any echo-reply
access-group 10 interface outside
(apply one to interface inside for outbound)
Allen
- Original Message -
From: Steve Alston
To:
Sent: Wednesday, November 28, 2001 4:08 PM
Subject: Re: PIX conduit access lists [7:26684]
Patrick Allen,
Thanks for the responses -- helps loads. I'm still slightly
confused.
I did a clear conduit expecting to block all incoming traffic.
Following
the clear conduit, I did a show conduit to verify there were not
any
conduits in operation. At that time, I was still able to receive web
traffic at my workstation. For that matter, the conduit statements
only
applied to specific servers so why am I able to receive http at my
workstation? I did try to PING an IP address which failed when I
removed
the conduits and worked when I restored conduit permit icmp any
any --
that behaved as expected.
Thanks,
Steve
Allen May wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Very true and a good point, but the original question was about
conduits
which only apply to lower-higher. Higher-lower requires NAT. I
accidentally typed access-list below but meant conduit. ;) *slap
self
get
more coffee*. It still applies but wasn't what I meant to say.
Thanks for pointing that out though.
- Original Message -
From: Patrick W. Bass
To:
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit access lists [7:26684]
Allen May wrote in message
news:[EMAIL PROTECTED]...
I'm not sure if this was answered or not, but a firewall always
assumes
a
deny all at the end of the access-list for inbound. Outbound is
different
since it allows all by default.
Remeber this: Higher security level to lower security level,
implicitly
allowed. Lower security level to higher security level,
implicitly
denied.
Otherwise it gets tricky once you start messing with multipile
DMZs.
Also, access-lists are the way to go since conduits will be
phased
out
in
the near future.
Allen
- Original Message -
From: Steve Alston
To:
Sent: Monday, November 19, 2001 9:25 AM
Subject: Re: PIX conduit access lists [7:26684]
Carroll,
Thanks for the reply. I'm using conduits now, but will
switch
to
access
lists in the future. (I'd like to fully understand the
configuration
I
inherited before I start making changes) Are implicit denys
inserted
behind
each conduit as well?
Carroll Kong wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Implicit denys behind every access-list are inserted. Are
you
mixing conduits and access-lists? You really should not.
Use
ALL
conduits
or ALL access-lists. If both are used, conduits take
priority
and
override
your access-lists. Access-lists are first match, conduits
are
any
match.
At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
Does the PIX 506 require an explicit deny statement after
setting
up
a
permit conduit or access list.
I appear to be receiving more traffic (e.g. NTP) than my
conduit
statements
allow.
Thanks much,
Steve
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/re
Re: PIX conduit access lists [7:26684]
Thanks again Allen,
Does that mean the responses to my outbound requests are allowed in by
default? For example, my request for a web page is allowed through the
firewall. Would the page in response of that request be allowed through the
firewall?
Steve
Allen May wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
NAT or internal servers with real IP addresses using NAT 0 can access
anything until you block it. Outbound requests (such as http, ftp, etc)
are
all enabled by default. Users outside the firewall cannot access internal
IPs without access-list or conduit statements.
In short, all outbound enabled and all inbound disabled by default.
For your conduit permit icmp any any I would enable echo reply only rather
than full icmp. Echo reply only allows replies back to the person pinging
or tracerouting. Full icmp can be exploited in DOS attacks.
example:
access-list 10 permit icmp any any echo-reply
access-group 10 interface outside
(apply one to interface inside for outbound)
Allen
- Original Message -
From: Steve Alston
To:
Sent: Wednesday, November 28, 2001 4:08 PM
Subject: Re: PIX conduit access lists [7:26684]
Patrick Allen,
Thanks for the responses -- helps loads. I'm still slightly confused.
I did a clear conduit expecting to block all incoming traffic.
Following
the clear conduit, I did a show conduit to verify there were not
any
conduits in operation. At that time, I was still able to receive web
traffic at my workstation. For that matter, the conduit statements only
applied to specific servers so why am I able to receive http at my
workstation? I did try to PING an IP address which failed when I
removed
the conduits and worked when I restored conduit permit icmp any
any --
that behaved as expected.
Thanks,
Steve
Allen May wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Very true and a good point, but the original question was about
conduits
which only apply to lower-higher. Higher-lower requires NAT. I
accidentally typed access-list below but meant conduit. ;) *slap self
get
more coffee*. It still applies but wasn't what I meant to say.
Thanks for pointing that out though.
- Original Message -
From: Patrick W. Bass
To:
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit access lists [7:26684]
Allen May wrote in message
news:[EMAIL PROTECTED]...
I'm not sure if this was answered or not, but a firewall always
assumes
a
deny all at the end of the access-list for inbound. Outbound is
different
since it allows all by default.
Remeber this: Higher security level to lower security level,
implicitly
allowed. Lower security level to higher security level, implicitly
denied.
Otherwise it gets tricky once you start messing with multipile DMZs.
Also, access-lists are the way to go since conduits will be phased
out
in
the near future.
Allen
- Original Message -
From: Steve Alston
To:
Sent: Monday, November 19, 2001 9:25 AM
Subject: Re: PIX conduit access lists [7:26684]
Carroll,
Thanks for the reply. I'm using conduits now, but will switch
to
access
lists in the future. (I'd like to fully understand the
configuration
I
inherited before I start making changes) Are implicit denys
inserted
behind
each conduit as well?
Carroll Kong wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Implicit denys behind every access-list are inserted. Are you
mixing conduits and access-lists? You really should not. Use
ALL
conduits
or ALL access-lists. If both are used, conduits take priority
and
override
your access-lists. Access-lists are first match, conduits are
any
match.
At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
Does the PIX 506 require an explicit deny statement after
setting
up
a
permit conduit or access list.
I appear to be receiving more traffic (e.g. NTP) than my
conduit
statements
allow.
Thanks much,
Steve
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27737t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27588t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
NAT or internal servers with real IP addresses using NAT 0 can access anything until you block it. Outbound requests (such as http, ftp, etc) are all enabled by default. Users outside the firewall cannot access internal IPs without access-list or conduit statements. In short, all outbound enabled and all inbound disabled by default. For your conduit permit icmp any any I would enable echo reply only rather than full icmp. Echo reply only allows replies back to the person pinging or tracerouting. Full icmp can be exploited in DOS attacks. example: access-list 10 permit icmp any any echo-reply access-group 10 interface outside (apply one to interface inside for outbound) Allen - Original Message - From: Steve Alston To: Sent: Wednesday, November 28, 2001 4:08 PM Subject: Re: PIX conduit access lists [7:26684] Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27642t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27320t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27293t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX conduit access lists [7:26684]
Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26684t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26694t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26700t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
I believe so. At 10:25 AM 11/19/01 -0500, Steve Alston wrote: Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26705t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
