Re: [fw-wiz] Enforcing content filtering with PIX515E

On a pix it would look something like this:

access-list InsideOut permit tcp any host eq 80
access-list InsideOut deny any any
access-group in interface inside

This permits port 80 traffic from the proxy and drops everything else.
This will force people to either use the proxy or have no internet access.

The second line isn't really needed because of the implicit deny on ACLs
but it is handy to put it there so you don't forget.

Unless you mean have the firewall do all the forwarding. In which case
you are going to really be doing some funky NAT statements with statics
I think.

Ian Rarity wrote:
Hi all,

Apologies if this is dumb, obvious or both, but I've never had to get a
firewall to do this before. We've just signed up with SurfControl to
provide us with content filtering for our web users.
Actually getting all the various versions of various browsers on our
network to use it as their proxy server is proving problematic; each
version of IE seems to store the proxy URL in a different registry key.
Also, thanks to our IT policy (or lack thereof), there's not much we can
do to prevent users simply removing the proxy setting in their browsers
and looking at whatever sites they please.
So I thought I'd try reconfiguring our firewall to send any outgoing
traffic on port 80 to the IP/port that SurfControl gave us. The
access-list for the inside interface on the PIX currently reads:

access-list acl_in permit icmp any any
access-list acl_in permit ip any any

In other words, anything on the inside interface is allowed to access
anywhere. Am I right in thinking that to force outgoing port 80 traffic
in the direction of SurfControl, I'd need to add a line to acl_in along
these lines:

access-list acl_in permit any host 80 <surfcontrol's IP> 8081

Would this suffice, or do I need something more involved?


Ian Rarity
Technical Engineer
ESPC (UK) Ltd.

Private and Confidential: This e-mail transmission is strictly
confidential and intended solely for the addressee. It may contain
privileged and confidential information and if you are not the
intended recipient, you must not copy, disclose, distribute or
take any action in reliance on it. If you have received this
e-mail in error, please delete it and notify our E-mail Systems
Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
accept any liability for any harm that may be caused to the
recipient's system or data by this message or any attachment.

ESPC (UK) Ltd is a company registered under the Companies
Acts in Scotland (Registered Number SC203535), and having its
registered office at 90A George Street, Edinburgh, Midlothian
EH2 3DF.

ESPC (UK) Limited is authorised and regulated by the Financial
Services Authority.
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: 2600 router + 2924 switch and vlans
    ... switchport trunk encapsulation isl ... interface FastEthernet0/0.2 ... match access-group 101 ... access-list 1 permit ...
    ... src_addr= 71.X.X.174, prot= tcp ... You cannot telnet to the outside interface ... access-list allow_inbound permit tcp any interface outside eq pop3 ... access-group deny_outbound in interface inside ...
    ... You cannot telnet to the outside interface ... access-list allow_inbound permit tcp any interface outside eq pop3 ... access-group deny_outbound in interface inside ...
  • [VERY LONG] Cisco 3620 and very low throghuput.
    ... Last clearing of "show interface" counters 00:20:57 ... input packets with dribble condition detected ... permit tcp any eq telnet ...
  • DNS Issue over Site -Site VPN Tunnel.
    ... ip access-group 122 out ... interface ATM0 ... access-list 102 permit ip any ... access-list 111 permit tcp any any eq smtp ...