Greetings, I think you misunderstand on of the basics of firewall configuration...
Your basic typical firewall has a trusted and an untrusted interface. The trusted is internal, the untrusted is external. If you open port 80 on the external interface, then people outside can initiate traffic through the firewall on that port... unless you are running a specific service (like a web server) on that port, allowing that kind of access is not a good idea. Try allowing internal -> external traffic. If you want your users only to access websites, restrict that to http. Deny all external -> internal. As simple as that. Of course, it get more complicated if the firewall is performing NAT, and external IPs are being specifically forwarded to internal machines, etc. Try the following for more information http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafw cfg.htm Also, when you go to visit a web page from your machine, it doesn't open port 80 on the local machine, it opens a random port to initiate the connection to port 80 on the remote IP... an example from running netstat on my machine here at work... Proto Local Address Foreign Address State TCP rbeckett:2059 www.cisco.com:80 LAST_ACK TCP rbeckett:2078 www.google.com:80 ESTABLISHED TCP rbeckett:2079 www.google.com:80 ESTABLISHED TCP rbeckett:2080 www.cisco.com:80 ESTABLISHED TCP rbeckett:2737 209.61.191.170:80 CLOSE_WAIT As you notice, internal traffic originates on random ports... even though all traffic goes to port 80 on the remote machine... if you only allow traffic on port 80, all my requests would have been blocked. Paul Devisser ----- Original Message ----- From: "Vincent DiCarlore" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 13, 2002 11:36 AM Subject: Firewall Question > > Hi all, > > I have some questions below: > > 1. Is PIX firewall a proxy server? If I want to allow internal network to > access Internet, besides opening port 80 at the access list from internal > interface going, do I need to open the port 80 from external interface? If > no, why? Is it because it is a proxy server? > > 2. In the case of Cisco router, what should I do in order to allow Internet > access from internal? It failed to access Internet when I just allow port 80 > opened in the access list of the internal interface. What port should I open > in the external interface? Just to reiterate a point.. only open ports on the external interface when you are providing a service on that port... essentially it is a door allowing people access to your network. > > Thank you very much for your information. > > > Best Regards, > Vincent DiCarlore > > > > > > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002
