501 PIX "deny any any" "allow any any" Any Anybody?

Hello,

I just started HyperTerminal and came to a blinking cursor.

I pressed enter on my keyboard and came to a command prompt - pixfirewall>

From this point, step by step if possible, how might I configure the

PIX to deny outbound traffic from using a particular port, 27374 for example?

How might I also configure the PIX to allow traffic to exit a certain port, 80 for example?

  1. Type "enable" (without the quotes).
  2. Enter password.
  3. Type "configure terminal " (maybe? I don't know)
4........ (Now I REALLY don't know)

The above steps 1,2,3,4 are the format I would most appreciate if anyone knows what I mean.

How anyone could NOT know what I mean is beyond me, lol, but some people seem to enjoy deliberately confusing me. For example I ask how to protect outgoing traffic in a case where one inadvertently picks up a keylogger and a response is "Don't install keyloggers...."

Anyway, a busy friend of mine took a few minutes to suggest that I figure out the deny any any and allow any any commands. I don't know if this is the way or if there is a better way and either way I was not able to figure out the "any any" command yet.

I prefer to use the command line from HyperTerminal if possible but

If anybody out there could possibly help me by spelling out, step by step from the initial pixfirewall> prompt, how I can configure to deny traffic exiting port 27374 (a common Trojan port) and also allow traffic to exit port 80 I would GREATLY appreciate the time it takes you.

Thanks

PS: To those that have helped me so far, Walter, BK, Bolger, DrSpock.. What was over my head is now becoming clearer and I truly appreciate your help. Thank you so much.

Reply to
Networking Student
Loading thread data ...

Well the first thing is that you must get into enable mode and enter the password. Next you must get into configuration terminal mode. By entering either (config t or config terminal). To answer your question to deny outbound traffic from using a particular port you can do the following.

access-list deny_outbound deny tcp any any eq 27374

The access list above will deny any host from behind the firewall from using port 27374 to send data to any destination. The "deny_outbound" that you see above is just the name of the access-list. Also, after you enter this access-list in the PIX. You must enter "clear xlate" and reload the access-group by entering. Then save your changes by entering (write mem or write memory)

"access-group deny_outbound in interface inside" However, in this case the access-group is called deny_outbound.

However, by default the PIX allows all traffic which is outbound but denies all traffic which is inbound.

Victor

deny outbound traffic from using a particular port, 27374 for

Reply to
vreyesii

Well the first thing is that you must get into enable mode and enter the password. Next you must get into configuration terminal mode. By entering either (config t or config terminal). To answer your question to deny outbound traffic from using a particular port you can do the following.

access-list deny_outbound deny tcp any any eq 27374

The access list above will deny any host from behind the firewall from using port 27374 to send data to any destination. The "deny_outbound" that you see above is just the name of the access-list. Also, after you enter this access-list in the PIX. You must enter "clear xlate" and reload the access-group by entering. Then save your changes by entering (write mem or write memory)

"access-group deny_outbound in interface inside" However, in this case the access-group is called deny_outbound.

However, by default the PIX allows all traffic which is outbound but denies all traffic which is inbound.

Victor

deny outbound traffic from using a particular port, 27374 for

Reply to
vreyesii

Until you apply an access list to the inside interface. As you've told him to have an acl on the inside interface (access-group deny_outbound in interface inside) but that acl has only one line (access-list deny_outbound deny tcp any any eq 27374) you have now blocked ALL traffic as the default at the end of any acl is 'deny any any'.

Chris.

Reply to
chris

Oh yes, thank you for reminding me. As Chris pointed out there is an implicit "deny all" at the end of any access list you have to have to add "access-list deny_outbound permit ip any any" to allow everything else. You have to make sure that you add it below the deny statement because if not the deny statement will not have an effect.

Victor

messagenews: snipped-for-privacy@e3g2000cwe.googlegroups.com...

inside interface. As you've told him

Reply to
vreyesii

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.