Re: PIX question

["Avishai Wool" <avishai.wool () gmail com>]

On 3/10/06, Brian Loe <knobdy () gmail com> wrote:
> So, you have an internet-out ACL which ends with an any any on the
> inside interface.
> You have an internet-in ACL on the outside interface.
> You have a DMZ2-in ACL on the dmz2 interface.
>
> The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
> interface is 0.
>
> You have an smtp box on dmz2. You have rules in dmz2-in allowing the
> smtp box to talk to boxes on the internal network. The smtp box can
> NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
> an any any rule for that host in dmz2-in and it works.
>
> Question: Why would the inbound ACL on dmz2 prevent it from sending
> traffic to the outside interface with a lower security setting? Does
> an ACL applied to a dmz interface have an implied deny all - even for
> lower security interfaces?

yes it does. Once you put an ACL on an interface then you create
a (sensible) default "deny all" on that interface - regardless of
security levels.
the (unfortunate) default "permit" from high-to-low only happens if you
have no ACLs on the interface or if you're still using the (old, brain-dead)
"conduit" and "outbound" commands.

the security level still matters for your choice of address translation
commands: "static" for low-to-high traffic, and "global"+"nat" for
high-to-low traffic.

HTH,
  Avishai
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


--
Avishai Wool, Ph.D.,
Chief Technical Officer,       Algorithmic Security Inc.
                  http://www.algosec.com
*******    Making your firewalls really safe    *******
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards