Not a stupid question at all, The default configuration will let DNS queries pass yes..However if you use the defualt config, you might as well put your PIX back in the box and return it, and get your 15k back.
You need to create access lists to DENY EVERYTHING. first. Then add access-lists for the traffic you want to allow. For example if you want to enable web traffic you need to create acces-lists to allow UDP domain queries, and another access-list to allow web (eq www) queries.. Now if you have devices in your DMZ and/or are running NAT it gets slightly more complicated, but not much.. cheers.. Marc.. Date: Wed, 9 Jan 2002 10:32:19 -0200 (BRST) From: Edson Yamada <[EMAIL PROTECTED]> To: lista fw <[EMAIL PROTECTED]> Subject: Stateful inspection on PIX Hello again, Sorry if this is a stupid question. I ve been reading the PIX docs and it s written that PIX is stateful. Let s suppose that a host (behind the internal interface) queries a DNS server that is located behind a outside interface. By default, all traffic that comes from the inside interface to the outside is allowed, so the query passes through the firewall, right? What about the answer? As PIX is stateful, this means that the answer for this specific query is allowed? If not, do I have to apply an access list to allow the answers? Thanks ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
