Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX vs CheckPoint

From: "Eric Paynter" <eric () arcticbears com>
Date: Tue, 29 Jun 2004 18:27:38 -0700 (PDT)
On Tue, June 29, 2004 4:57 pm, Gary E. Miller said:

I agree, except for one small problem.  Don't you still have to delete
ALL the filter rules, and reenter them ALL to change the order of the
rules?


I don't administer the PIX boxes, so I don't know the details of the
interface. My statements were based on what the admins told me. However,
isn't the beauty of any CLI app that you can do all your administration
through simple scripts?

Personally, I use iptables firewalls. With iptables, my "config" file is
really the script that loads the rules. When I make a change to the rules,
it is to add/alter/remove a line from that script. The script is executed
on boot and after any changes. I would assume the same is standard
practice for PIX.

The other benefit of a scripted config is you can test it on another
machine, and once you're sure you've got it right, you can copy the script
over to the production machine. Reduces errors.

You're not entering rules by hand into a production firewall, are you?
:shock:

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: