Firewall Wizards mailing list archives
PIX capabilities (Was Re: Comparisons of Firewall-1 vs. PIX)
From: lk-m-wizards () bigears solsoft com (Lorens Kockum)
Date: 1 Oct 1998 09:07:39 -0000
On firewall-wizards Mark Horn wrote:
About the only commentary that I have about Cisco PIX is that there seems to be no way to specify source ports in the filter rules.
IOW, outbound 2 permit 10.1.1.0 255.255.255.0 53 tcp apply inside 2 outgoing_src is the equivalent of the IOS list access-list 2 permit tcp 10.1.1.0 0.0.0.255 any eq 53 instead of access-list 2 permit tcp 10.1.1.0 0.0.0.255 eq 53 any
Please understand, that I don't have any Cisco PIX boxes here in which to verify this.
The "apply" description is quite silent on that; but the "providing outbound access control", page 2-17 of the 4.2 Users Guide gives an example that confirms this. I'm going to check, of course, just for my peace of mind, because *I* do have a PIX, and especially for the purpose of testing nasty little almost-undocumented features like that, too. If someone has some *good* documentation on the PIX, I'd be very interested.
I don't actually know if you can or can't do source port filtering.
As of 4.2(1), you can do source port filtering on *incoming* connections (defined with static/conduit). This was not possible in 4.1.*. BTW, ability to distinguish different kinds of ICMP only appeared in 4.1(6). IOW, the conduit command permits source port specification, but not the outbound command. IMNSHO, that is just plain stupid, because outside source ports should never be trusted, while trusting inside source ports may be imperative (say you want all mail to pass through your sendmail, but you have no machine without untrusted users). Maybe in 4.2(2), seeing the speed of changes in PIX functionality. It's getting better and better. What I want before saying "it's good" is essentially the outbound command getting all the parameters the conduit command has as of 4.2(1), namely filtering on *both* source and destination ips, source and destination ports, icmp ... While I'm at it, I do have some miscellaneous questions, mostly due to new things in 4.2.(1). Is there a way to specify logging for certain lines only? What *exactly* does "the outbound commands are processed from the most specific to the least specific" (Command reference 5-55, outbound/apply, PIX 4.2) mean? If I have outbound permit 2 10.64.0.0 255.254.0.0 15-25 outbound deny 2 10.64.0.0 255.254.0.0 25-35 which is the more specific for 10.64.5.5 wanting to access port 25? What about outbound permit 2 10.64.0.0 255.254.0.0 25 outbound deny 2 10.64.0.0 255.253.0.0 25 (yes, that's a netmask with holes)? Can you specify multiple access-lists in the same direction on the same interface? Because extensive use of the "except" option seems to make it very necessary. Is there any rational way to specify both source IP and destination IP for outbound flows? ("except", as I see it, is not rational.) Is there a way to clear all statics? All conduits? You can do a "clear outbound", a "clear apply" ... Thank you Usenet Oracle ... -- #include <std_disclaim.h> Lorens Kockum
Current thread:
- PIX capabilities (Was Re: Comparisons of Firewall-1 vs. PIX) Lorens Kockum (Oct 01)