Re: [fw-wiz] IP Ranges
- From: "Security Guy" <security@xxxxxxxxxxxx>
- Date: Thu, 29 Mar 2007 16:51:26 -0400
specifically regarding PIX
Object groups do make ACL management a whole lot easier, but you're
still stuck specifying hosts or contiguous networks within the group,
you can't just put in a range like 192.168.10.15-28 that doesn't
summarize nicely.
On 3/28/07, Fetch, Brandon <bfetch@xxxxxxx> wrote:
Object groups is where I was headed. The groups can take on networks,
hosts, ports and can then be used in place of where an ACL would go.
I happen to use object groups to define a block of allowed inbound sources
and use that to define the ACL as the source.
Keeps me from having to selectively manage an ACL. The ACL stays put and I
merely mange the group.
HTH,
Brandon
________________________________
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On
Behalf Of Jason Gervia
Sent: Tuesday, March 27, 2007 3:48 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] IP Ranges
Hello,
In regards to cisco PIX - there's no real way to specify a 'range' option
with regards to IP addresses. I'd suggest trying object groups and
specifying which hosts you would like.
In IOS, you could potentially use subnet masks that specified 2,4,8,16, etc
hosts to get the equivalent of a range, but I believe the stateful
firewalling that is part of the pix won't allow that (it will deny
src/destinations of networks or broadcast networks).
I agree, it would be a great thing for cisco to add in a later code
release. Unfortunately it's not here yet.
--Jason
On 3/26/07, Sergio Pozo Hidalgo <sergio@xxxxxxxxx> wrote:
Hi all,
I have been searcing in the list and in google about how to specify ip
ranges in different low level firewall languages.
I have read that it is possible to do that with iptables using
--ip-range parameter. But I could'nt find any information reagarding PIX
or PF using a syntax like iptables one.
I know it is possible to specify contiguous and non-contiguous ip ranges
using subnets (Subnet Calculator is a good application for that), and a
combination of deny and permit rules. But the question is if there is a
way to specify a range using the easy-to-use format of iptables:
192.168.0.1-192.168.2.20 (I know there is a mix of subnets...)
Thank you very much in advance.
Best regards,
--
Sergio Pozo Hidalgo
Quivir Research Group <www.lsi.us.es/~quivir>
University of Seville (Spain)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action
concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
--
-Karl
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] IP Ranges
- From: Sergio Pozo Hidalgo
- Re: [fw-wiz] IP Ranges
- References:
- [fw-wiz] IP Ranges
- From: Sergio Pozo Hidalgo
- Re: [fw-wiz] IP Ranges
- From: Jason Gervia
- Re: [fw-wiz] IP Ranges
- From: Fetch, Brandon
- [fw-wiz] IP Ranges
- Prev by Date: Re: [fw-wiz] OT? New compromise.
- Next by Date: Re: [fw-wiz] IP Ranges
- Previous by thread: Re: [fw-wiz] IP Ranges
- Next by thread: Re: [fw-wiz] IP Ranges
- Index(es):
Relevant Pages
|
