Full Disclosure mailing list archives
Re: PIX vs CheckPoint
From: Simon Burr <simes () bpfh net>
Date: Wed, 30 Jun 2004 03:02:25 +0100
On Tue, Jun 29, 2004 at 04:57:42PM -0700, Gary E. Miller wrote:
I agree, except for one small problem. Don't you still have to delete ALL the filter rules, and reenter them ALL to change the order of the rules? last I checked there was no "insert before", "insert at top" sort of options. Just "insert at end".
This isn't true for version 6.3 of the PIX software; there is the line argument to the access-list command. Thus if you have the following ACL: access-list test permit tcp any any eq 1 access-list test permit tcp any any eq 2 And want to insert an ACE between the two you can use: access-list test line 2 permit tcp any any eq 3 And the resulting ACL will look like the following: # show access-list test access-list test; 3 elements access-list test line 1 permit tcp any any eq 1 (hitcnt=0) access-list test line 2 permit tcp any any eq 3 (hitcnt=0) access-list test line 3 permit tcp any any eq 2 (hitcnt=0) # Have a read of the docs at for the access-list command in 6.3 of the PIX software at the following location: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755 The other thing to do is to make use of object groups which allow you to do things like: object-group service web tcp port-object eq http object-group dmz_hosts network-object 192.168.0.0 255.255.255.0 object-group web_srv network-object host 10.0.1.1 network-object host 10.0.1.2 access-list inbound permit tcp object-group dmz_hosts object-group web_src object-group web Which results in the ACL actually being: access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http Whilst it does look a little silly to use 8 lines where 2 would do you can edit the object-group, removing and adding entries as required. The only restriction is that once an object-group is in use by an ACL, it can not be empty. Thus say you wanted to add permission for HTTPS for all web servers, all you'd need to do would be to enter the following in configuration mode: object-group server web tcp port-object eq https exit And the ACL would automatically be updated to reflect this, looking like: access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq https access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq https Naturally the same can be done with the dmz_hosts and web_srv object groups as well. You can read more information on how object grouping works here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1024374 Object groups are available in version 6.2 and later of the PIX software. -- Simon the stressed http://www.bpfh.net/ simes () bpfh net Chocolate is *not* a substitute for sleep _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: PIX vs CheckPoint, (continued)
- RE: PIX vs CheckPoint James Patterson Wicks (Jun 29)
- RE: PIX vs CheckPoint Eric Paynter (Jun 29)
- RE: PIX vs CheckPoint Gary E. Miller (Jun 29)
- Re: PIX vs CheckPoint John Kinsella (Jun 29)
- Re: PIX vs CheckPoint Eric Paynter (Jun 29)
- RE: PIX vs CheckPoint Tom Curry (Jun 29)
- Re: PIX vs CheckPoint Gary E. Miller (Jun 29)
- Re: PIX vs CheckPoint Eric Paynter (Jun 29)
- Re: PIX vs CheckPoint Jeff Kell (Jun 29)
- Re: PIX vs CheckPoint Matt Ostiguy (Jun 29)
- Re: PIX vs CheckPoint Simon Burr (Jun 29)
- RE: PIX vs CheckPoint Eric Paynter (Jun 29)
- RE: PIX vs CheckPoint James Patterson Wicks (Jun 29)
- RE: PIX vs CheckPoint; IMHO Netscreen is far superior Edward W. Ray (Jun 29)
- RE: PIX vs CheckPoint; IMHO Netscreen is far superior Gary E. Miller (Jun 29)
- Re: PIX vs CheckPoint Jim Burwell (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Ben Nelson (Jun 30)