Firewall Wizards mailing list archives
RE: PIX question
From: "Bruce Smith" <bruce_the_loon () worldonline co za>
Date: Tue, 14 Mar 2006 07:23:05 +0200
Hi Brian You answered your own question at the end. When using ACL's instead of conduits, there is an implicit deny any any on all interfaces. You have to add an explicit access-list DMZ2-in permit tcp access host mailserver any eq 25 to get email flowing out. On our firewall, we have a single DMZ with mail and web servers and had to team deny inside network rules with permit internet rules to overcome the default deny any any. With PIX 7, we have in and out ACL's on each interface, not just in ACL's and we're restructuring based on that. Regards, Bruce Smith -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Brian Loe Sent: Friday, March 10, 2006 11:42 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX question So, you have an internet-out ACL which ends with an any any on the inside interface. You have an internet-in ACL on the outside interface. You have a DMZ2-in ACL on the dmz2 interface. The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside interface is 0. You have an smtp box on dmz2. You have rules in dmz2-in allowing the smtp box to talk to boxes on the internal network. The smtp box can NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add an any any rule for that host in dmz2-in and it works. Question: Why would the inbound ACL on dmz2 prevent it from sending traffic to the outside interface with a lower security setting? Does an ACL applied to a dmz interface have an implied deny all - even for lower security interfaces? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX question Brian Loe (Mar 13)
- RE: PIX question Bruce Smith (Mar 14)
- Re: PIX question Avishai Wool (Mar 14)
- Re: PIX question david_harris (Mar 15)
- <Possible follow-ups>
- RE: PIX question Martijn Berlage (Mar 14)