Hey Tod,
Sorry to regurgitate the manual but lets start by doing just that to clear (as mud) up
how the security level thing works:
security_level---A value such as security40 or security60. You can choose any security
level between 1 and 99 for a perimeter interface as
long as it is not the same as the inside and outside interfaces. If you have four
or more interfaces, it will be easier to code your configuration if
you use the higher security level for the perimeter interface with the most
hosts. When you access a higher security level interface from a lower
security level interface, you use the static command.
If you are configuring PIX Firewall for the first time, the default security
levels for perimeter interfaces start with security10 for pix/intf2 (the
default name for the first perimeter interface), security15 for pix/intf3,
security20 for pix/intf4, and security25 for pix/intf5.
When you access a lower security interface from a higher security level
interface, you use the nat command. By using the higher security level,
hosts on that interface can access the other perimeter interface and the outside
interface using the nat command.
>>> Todd a <[EMAIL PROTECTED]> 09/26/00 11:08AM >>>
Will the trust between interfaces prevent me from
successfuly implementing a default "deny unless
explicitly allowed" outgoing policy.
++++ In a nutshell "NO" in fact this is the preferred method (unless you dont care
what goes out, in which case having a firewall at all is a waste of money) ++++
I think this default policy should be feasible.
I have been told otherwise by a consultant, and I
think he might be wrong.
+++ Here is an example of an outbound (default) policy that restricts outbound traffic
+to HTTP (tcp 80), SSL (tcp 443), FTP (tcp 21), and a primary and secondary (external)
+DNS server (udp), and an external mail server (TCP 25)
No obviously if you have an internal
++ This also denies all ICMP (ping) responses which in todays PING-SCAN happy internet
+is a good_thing
outbound 1 deny 0.0.0.0 0.0.0.0 0 ip
outbound 1 except 0.0.0.0 0.0.0.0 80 tcp
outbound 1 except 0.0.0.0 0.0.0.0 443 tcp
outbound 1 except 172.16.10.10 255.255.255.255 25 tcp
outbound 1 except 192.168.1.1 255.255.255.255 0 udp
outbound 1 except 192.168.1.2 255.255.255.255 0 udp
outbound 1 except 0.0.0.0 0.0.0.0 21 tcp
++ Now you MUST apply the ACL to the interface
apply (inside) 1 outgoing_src
++ this is assuming your inside interface is named "inside" using the 'nameif' command.
cheers.
Marc
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
