This is a discussion on Re: [fw-wiz] PIX question - Firewalls ; On 3/10/06, Brian Loe wrote: > So, you have an internet-out ACL which ends with an any any on the > inside interface. > You have an internet-in ACL on the outside interface. > You have a DMZ2-in ACL on ...
On 3/10/06, Brian Loe
> So, you have an internet-out ACL which ends with an any any on the
> inside interface.
> You have an internet-in ACL on the outside interface.
> You have a DMZ2-in ACL on the dmz2 interface.
> The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
> interface is 0.
> You have an smtp box on dmz2. You have rules in dmz2-in allowing the
> smtp box to talk to boxes on the internal network. The smtp box can
> NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
> an any any rule for that host in dmz2-in and it works.
> Question: Why would the inbound ACL on dmz2 prevent it from sending
> traffic to the outside interface with a lower security setting? Does
> an ACL applied to a dmz interface have an implied deny all - even for
> lower security interfaces?
yes it does. Once you put an ACL on an interface then you create
a (sensible) default "deny all" on that interface - regardless of
the (unfortunate) default "permit" from high-to-low only happens if you
have no ACLs on the interface or if you're still using the (old, brain-dead=
"conduit" and "outbound" commands.
the security level still matters for your choice of address translation
commands: "static" for low-to-high traffic, and "global"+"nat" for
> firewall-wizards mailing list
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
******* Making your firewalls really safe *******
firewall-wizards mailing list