Re: [fw-wiz] IP Ranges



specifically regarding PIX

Object groups do make ACL management a whole lot easier, but you're
still stuck specifying hosts or contiguous networks within the group,
you can't just put in a range like 192.168.10.15-28 that doesn't
summarize nicely.


On 3/28/07, Fetch, Brandon <bfetch@xxxxxxx> wrote:




Object groups is where I was headed. The groups can take on networks,
hosts, ports and can then be used in place of where an ACL would go.



I happen to use object groups to define a block of allowed inbound sources
and use that to define the ACL as the source.

Keeps me from having to selectively manage an ACL. The ACL stays put and I
merely mange the group.



HTH,

Brandon



________________________________


From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On
Behalf Of Jason Gervia
Sent: Tuesday, March 27, 2007 3:48 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] IP Ranges




Hello,

In regards to cisco PIX - there's no real way to specify a 'range' option
with regards to IP addresses. I'd suggest trying object groups and
specifying which hosts you would like.

In IOS, you could potentially use subnet masks that specified 2,4,8,16, etc
hosts to get the equivalent of a range, but I believe the stateful
firewalling that is part of the pix won't allow that (it will deny
src/destinations of networks or broadcast networks).

I agree, it would be a great thing for cisco to add in a later code
release. Unfortunately it's not here yet.



--Jason


On 3/26/07, Sergio Pozo Hidalgo <sergio@xxxxxxxxx> wrote:

Hi all,
I have been searcing in the list and in google about how to specify ip
ranges in different low level firewall languages.

I have read that it is possible to do that with iptables using
--ip-range parameter. But I could'nt find any information reagarding PIX
or PF using a syntax like iptables one.
I know it is possible to specify contiguous and non-contiguous ip ranges
using subnets (Subnet Calculator is a good application for that), and a
combination of deny and permit rules. But the question is if there is a
way to specify a range using the easy-to-use format of iptables:
192.168.0.1-192.168.2.20 (I know there is a mix of subnets...)

Thank you very much in advance.
Best regards,

--
Sergio Pozo Hidalgo
Quivir Research Group <www.lsi.us.es/~quivir>
University of Seville (Spain)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action
concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
-Karl
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] IP Ranges
    ... hosts, ports and can then be used in place of where an ACL would go. ... I happen to use object groups to define a block of allowed inbound ... I have been searcing in the list and in google about how to specify ip ...
    (Firewall-Wizards)
  • Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS
    ... > When you manually specify all of the ACL flags, it seems to work as though ... >> Do you only support english versions of Windows? ... > specify it in a template. ... I'd also rip off USB connectors. ...
    (microsoft.public.security)
  • RE: only allowing web in pre definne time slotes
    ... you can configure squid to allow Internet browsing only at ... acl allowed_time_2 time 12:00-13:00 ... With this configuration SQUID will allow access olnly at the times ... Pls specify the ...
    (RedHat)
  • Re: How to specify which users can relay through an SMTP service
    ... What I need is the ability to specify which authenticated users are allowed ... the relay nor in the authentication dialog box). ... The online help still mentions an ACL though, that should be able to specify ... I've tried to restrict the ACL on mailroot and subfolders (like with the IIS ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: [fw-wiz] IP Ranges
    ... In regards to cisco PIX - there's no real way to specify a 'range' option ... I'd suggest trying object groups and ...
    (Firewall-Wizards)