Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX vs CheckPoint

From: Simon Burr <simes () bpfh net>
Date: Wed, 30 Jun 2004 03:02:25 +0100
On Tue, Jun 29, 2004 at 04:57:42PM -0700, Gary E. Miller wrote:

I agree, except for one small problem.  Don't you still have to delete
ALL the filter rules, and reenter them ALL to change the order of the
rules? last I checked there was no "insert before", "insert at top" sort
of options.  Just "insert at end".


This isn't true for version 6.3 of the PIX software; there is the line
argument to the access-list command. Thus if you have the following ACL:

  access-list test permit tcp any any eq 1
  access-list test permit tcp any any eq 2

And want to insert an ACE between the two you can use:

  access-list test line 2 permit tcp any any eq 3

And the resulting ACL will look like the following:

  # show access-list test
  access-list test; 3 elements
  access-list test line 1 permit tcp any any eq 1 (hitcnt=0) 
  access-list test line 2 permit tcp any any eq 3 (hitcnt=0) 
  access-list test line 3 permit tcp any any eq 2 (hitcnt=0) 
  #

Have a read of the docs at for the access-list command in 6.3 of the
PIX software at the following location:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755

The other thing to do is to make use of object groups which allow you to
do things like:

  object-group service web tcp
    port-object eq http
  object-group dmz_hosts
    network-object 192.168.0.0 255.255.255.0
  object-group web_srv
    network-object host 10.0.1.1
    network-object host 10.0.1.2
  access-list inbound permit tcp object-group dmz_hosts object-group web_src object-group web

Which results in the ACL actually being:

  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http

Whilst it does look a little silly to use 8 lines where 2 would do you can edit
the object-group, removing and adding entries as required. The only restriction
is that once an object-group is in use by an ACL, it can not be empty. Thus say
you wanted to add permission for HTTPS for all web servers, all you'd need to
do would be to enter the following in configuration mode:

  object-group server web tcp
    port-object eq https
  exit

And the ACL would automatically be updated to reflect this, looking like:

  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq https
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq https

Naturally the same can be done with the dmz_hosts and web_srv object groups as
well. You can read more information on how object grouping works here:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1024374
Object groups are available in version 6.2 and later of the PIX software.


-- 
    Simon the stressed        http://www.bpfh.net/           simes () bpfh net
                 Chocolate is *not* a substitute for sleep

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: