[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040630030224.A21900@bpfh.net>
From: simes at bpfh.net (Simon Burr)
Subject: PIX vs CheckPoint
On Tue, Jun 29, 2004 at 04:57:42PM -0700, Gary E. Miller wrote:
>I agree, except for one small problem. Don't you still have to delete
>ALL the filter rules, and reenter them ALL to change the order of the
>rules? last I checked there was no "insert before", "insert at top" sort
>of options. Just "insert at end".
This isn't true for version 6.3 of the PIX software; there is the line
argument to the access-list command. Thus if you have the following ACL:
access-list test permit tcp any any eq 1
access-list test permit tcp any any eq 2
And want to insert an ACE between the two you can use:
access-list test line 2 permit tcp any any eq 3
And the resulting ACL will look like the following:
# show access-list test
access-list test; 3 elements
access-list test line 1 permit tcp any any eq 1 (hitcnt=0)
access-list test line 2 permit tcp any any eq 3 (hitcnt=0)
access-list test line 3 permit tcp any any eq 2 (hitcnt=0)
#
Have a read of the docs at for the access-list command in 6.3 of the
PIX software at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755
The other thing to do is to make use of object groups which allow you to
do things like:
object-group service web tcp
port-object eq http
object-group dmz_hosts
network-object 192.168.0.0 255.255.255.0
object-group web_srv
network-object host 10.0.1.1
network-object host 10.0.1.2
access-list inbound permit tcp object-group dmz_hosts object-group web_src object-group web
Which results in the ACL actually being:
access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http
access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http
Whilst it does look a little silly to use 8 lines where 2 would do you can edit
the object-group, removing and adding entries as required. The only restriction
is that once an object-group is in use by an ACL, it can not be empty. Thus say
you wanted to add permission for HTTPS for all web servers, all you'd need to
do would be to enter the following in configuration mode:
object-group server web tcp
port-object eq https
exit
And the ACL would automatically be updated to reflect this, looking like:
access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq http
access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.1 eq https
access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq http
access-list inbound permit tcp 192.168.0.0 255.255.255.0 host 10.0.1.2 eq https
Naturally the same can be done with the dmz_hosts and web_srv object groups as
well. You can read more information on how object grouping works here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1024374
Object groups are available in version 6.2 and later of the PIX software.
--
Simon the stressed http://www.bpfh.net/ simes@...h.net
Chocolate is *not* a substitute for sleep
Powered by blists - more mailing lists