Re: [fw-wiz] PIX question

On 3/10/06, Brian Loe <knobdy@xxxxxxxxx> wrote:
So, you have an internet-out ACL which ends with an any any on the
inside interface.
You have an internet-in ACL on the outside interface.
You have a DMZ2-in ACL on the dmz2 interface.

The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
interface is 0.

You have an smtp box on dmz2. You have rules in dmz2-in allowing the
smtp box to talk to boxes on the internal network. The smtp box can
NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
an any any rule for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending
traffic to the outside interface with a lower security setting? Does
an ACL applied to a dmz interface have an implied deny all - even for
lower security interfaces?

yes it does. Once you put an ACL on an interface then you create
a (sensible) default "deny all" on that interface - regardless of
security levels.
the (unfortunate) default "permit" from high-to-low only happens if you
have no ACLs on the interface or if you're still using the (old, brain-dead)
"conduit" and "outbound" commands.

the security level still matters for your choice of address translation
commands: "static" for low-to-high traffic, and "global"+"nat" for
high-to-low traffic.

firewall-wizards mailing list

Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
******* Making your firewalls really safe *******
firewall-wizards mailing list