PIX capabilities (Was Re: Comparisons of Firewall-1 vs. PIX)

[lk-m-wizards () bigears solsoft com (Lorens Kockum)]

On firewall-wizards Mark Horn wrote:
> About the only commentary that I have about Cisco PIX is that there seems
> to be no way to specify source ports in the filter rules.

IOW,

        outbound 2 permit 10.1.1.0 255.255.255.0 53 tcp
        apply inside 2 outgoing_src

is the equivalent of the IOS list

        access-list 2 permit tcp 10.1.1.0 0.0.0.255 any eq 53

instead of

        access-list 2 permit tcp 10.1.1.0 0.0.0.255 eq 53 any

> Please understand, that I don't have any Cisco PIX boxes here in which to
> verify this.

The "apply" description is quite silent on that; but the
"providing outbound access control", page 2-17 of the 4.2 Users
Guide gives an example that confirms this.  I'm going to check,
of course, just for my peace of mind, because *I* do have a
PIX, and especially for the purpose of testing nasty little
almost-undocumented features like that, too.

If someone has some *good* documentation on the PIX, I'd be very
interested.

> I don't actually know if you can or can't do source port filtering.

As of 4.2(1), you can do source port filtering on *incoming*
connections (defined with static/conduit).  This was not
possible in 4.1.*. BTW, ability to distinguish different kinds
of ICMP only appeared in 4.1(6).

IOW, the conduit command permits source port specification, but
not the outbound command.

IMNSHO, that is just plain stupid, because outside source ports
should never be trusted, while trusting inside source ports
may be imperative (say you want all mail to pass through your
sendmail, but you have no machine without untrusted users).

Maybe in 4.2(2), seeing the speed of changes in PIX
functionality.  It's getting better and better.  What I want
before saying "it's good" is essentially the outbound command
getting all the parameters the conduit command has as of 4.2(1),
namely filtering on *both* source and destination ips, source
and destination ports, icmp ...

While I'm at it, I do have some miscellaneous questions, mostly
due to new things in 4.2.(1).

Is there a way to specify logging for certain lines only?

What *exactly* does "the outbound commands are processed from
the most specific to the least specific" (Command reference
5-55, outbound/apply, PIX 4.2) mean?  If I have

        outbound permit 2 10.64.0.0 255.254.0.0 15-25
        outbound deny   2 10.64.0.0 255.254.0.0 25-35

which is the more specific for 10.64.5.5 wanting to access
port 25?

What about

        outbound permit 2 10.64.0.0 255.254.0.0 25
        outbound deny   2 10.64.0.0 255.253.0.0 25

(yes, that's a netmask with holes)?

Can you specify multiple access-lists in the same direction
on the same interface?  Because extensive use of the "except"
option seems to make it very necessary.

Is there any rational way to specify both source IP and
destination IP for outbound flows?  ("except", as I see it, is
not rational.)

Is there a way to clear all statics?  All conduits?  You can do
a "clear outbound", a "clear apply" ...

Thank you Usenet Oracle ...

-- 
#include <std_disclaim.h>                          Lorens Kockum