RE: [fw-wiz] PIX question

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf
Of Brian Loe

Question: Why would the inbound ACL on dmz2 prevent it from
sending traffic to the outside interface with a lower
security setting? Does an ACL applied to a dmz interface have
an implied deny all - even for lower security interfaces?

Yes. Only when no ACL is set, an implicit allow any any to lower
security interfaces is used. In the PDM, this shows up as an 'implicit
outbound rule'. When setting an ACL, it's ended with an implicit deny
any any.

firewall-wizards mailing list

Relevant Pages

  • Re: Pix 515 VLAN NAT0 issues
    ... that ACL will be exempt from NAT. ... the packet at the time the PIX receives the packet. ... ACL applied to an inside interface would have the internal IPs as ... accepted as having a translation and satisfying the security policies. ...
  • Re: [fw-wiz] PIX question
    ... You have an internet-in ACL on the outside interface. ... NOT talk to anything on the internet - gets denied by dmz2-in ACL. ... traffic to the outside interface with a lower security setting? ...
  • Re: Minimum NTFS Permissions on the SystemDrive
    ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
  • Re: Interface function and TPersistent
    ... that all these different applications are running - they will still be ... controlling such things as login and security. ... actually open a form of the required class and what they can do within it ... create an interface for each and every one and pass this through and have ...
  • Re: remote control program
    ... The security of the interface has nothing to do with SSL. ... the security of your online banking technology also has nothing to do with SSL. ... If the technology was not properly assessed by a qualified security team then I wouldn't trust it. ... for remote work to the same location who complains about jitter and delay ...