lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040630030224.A21900@bpfh.net>
From: simes at bpfh.net (Simon Burr)
Subject: PIX vs CheckPoint

On Tue, Jun 29, 2004 at 04:57:42PM -0700, Gary E. Miller wrote:
>I agree, except for one small problem.  Don't you still have to delete
>ALL the filter rules, and reenter them ALL to change the order of the
>rules? last I checked there was no "insert before", "insert at top" sort
>of options.  Just "insert at end".

This isn't true for version 6.3 of the PIX software; there is the line
argument to the access-list command. Thus if you have the following ACL:

  access-list test permit tcp any any eq 1
  access-list test permit tcp any any eq 2

And want to insert an ACE between the two you can use:

  access-list test line 2 permit tcp any any eq 3

And the resulting ACL will look like the following:

  # show access-list test
  access-list test; 3 elements
  access-list test line 1 permit tcp any any eq 1 (hitcnt=0) 
  access-list test line 2 permit tcp any any eq 3 (hitcnt=0) 
  access-list test line 3 permit tcp any any eq 2 (hitcnt=0) 
  #

Have a read of the docs at for the access-list command in 6.3 of the
PIX software at the following location:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755

The other thing to do is to make use of object groups which allow you to
do things like:

  object-group service web tcp
    port-object eq http
  object-group dmz_hosts
    network-object 192.168.0.0 255.255.255.0
  object-group web_srv
    network-object host 10.0.1.1
    network-object host 10.0.1.2
  access-list inbound permit tcp object-group dmz_hosts object-group web_src object-group web

Which results in the ACL actually being:

  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http

Whilst it does look a little silly to use 8 lines where 2 would do you can edit
the object-group, removing and adding entries as required. The only restriction
is that once an object-group is in use by an ACL, it can not be empty. Thus say
you wanted to add permission for HTTPS for all web servers, all you'd need to
do would be to enter the following in configuration mode:

  object-group server web tcp
    port-object eq https
  exit

And the ACL would automatically be updated to reflect this, looking like:

  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq https
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http
  access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq https

Naturally the same can be done with the dmz_hosts and web_srv object groups as
well. You can read more information on how object grouping works here:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1024374
Object groups are available in version 6.2 and later of the PIX software.


-- 
    Simon the stressed        http://www.bpfh.net/           simes@...h.net
                 Chocolate is *not* a substitute for sleep


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ