Sorry for the long reply. I actaully just posted this to the Yahoo Pix firewall group, I wil cross post since it has relvance here as well.
Prefered method depends on whose point of view you are talking about. For ACLs they are evaluated in a top down fashion, first match wins (correct?). Conduits are evaluated individually, and that which is not permitted is denied. Therfore when making updates it is more difficult with ACLs because you may need to remove all the ACLs above the new one which may affect how the new statement is applied. This problem does not exist with Conduits (as far as I am aware). What are others thoughts on how ACLs differ from conduits and their reletive strengths/weaknesses. I still prefer Conduit statements myself. It is just a question of how long it will be before Cisco stops supporting them. On a side note your statement about traffic from a higher security level to a lower security level is only partially correct. While it is true that traffic will implicitly pass from an interface of higher security to lower, this is only the case in the absence of the Outbound/Apply statements. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref /mr.htm#xtocid5 (Watch Wrap) Once Outbound statements are created and applied to an interface all traffic is passed which is explicitly permitted unless it is explicitly denied. There are some caveats to watch. A Permit always win in a tie. This becomes a problem if a statement such as Outbound 1 permit tcp 0 0 0 The above statement allows all tcp connections to all ports. Next we see Outbound 1 deny tcp 0 0 6699 Outbound 1 permit tcp 0 0 0 You would expect this example to block Napster. In fact the designation of 0 specifies all ports, even though this is the case it is still treated as a single port. When these rules are evaluated the end result is all tcp traffic is allowed. How about Outbound 1 deny tcp 65.24.95.39 255.255.255.255 6699 Outbound 1 permit tcp 0 0 0 In this case the IP address mask is considered more specific than 0 and the access to tcp port 6699 for this host would effectively be blocked. The recommended way to structure your Outbound list is Outbound 1 deny ip 0 0 0 Outbound 1 permit tcp 0 0 80 Outbound 1 permit tcp 0 0 443 Outbound 1 permit tcp 0 0 21 The above statements block all connections first and then permit those protocols which you want to allow. When defining These lists multiple numbers may be used and they are evaluated in a cascading fasion I believe, this can make following all the logic difficult at times. There are also exception statements to consider here, but I will leave that to the reader if it interests them. The above link provides a complete description on use and includes some examples. Back to the posters original question, I find Conduit/Outbound/Apply statements more flexible, but I think ACLs provide an easier to understand ruleset with less possibility for holes. On the subject of UPnP, I vote for pistols at 10yds (can anyone say Netbui meats Plug and Pray). They even note at the bottom of one of the articles that this may have scalability problems, "potentially bringing the network to its knees" Interestingly enough the Nat traversal is not mentioned much and I did not want to join the forum to get the full details. http://www.e-insite.net/ednmag/index.asp?layout=article&articleId=CA1548 02 Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: Matt Thoreson [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 6:03 PM To: '[EMAIL PROTECTED]' Subject: PIX conduit vs access lists Does anyone have any opinions on the use of access lists vs conduits on the PIX? Cisco seems to be pushing access lists in their newer pix os releases. One thing I have noticed is with conduits, the pix will implicitely allow all traffic from a higher to lower security level. For example if I have a machine in my dmz, security50, that wants to browse the web on the the outside, security0, this is automatically allowed without the use of a conduit statement. If I use access-list on my dmz interface, with holes from the outside to the dmz, or from the dmz to the inside, I will not be able to have this dmz machine browse the web unless I have an access list statement on the dmz allowing it through to the outside on port 80. There isn't the implicit allow all traffic from higher to lower security that the conduit has. Unless I'm missing something, access lists create more work. Does anybody have any opinions on one or the other? Thanks, Matt _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
