Right now, we have no outbound restrictions. I would like to modify my access list on my PIX to deny outbound SMTP except for my mail servers. Hopefully this will prevent mass mailing worms from mass mailing.
Below is our current config. I'm guessing I need to add a second access list and apply it to the inside interface. But as this is in a production environent, I thought I'd ask for some tips before I start doing in vivo testing. Thank you.
access-list 101 permit icmp any host 17.43.118.3 access-list 101 permit tcp any host 17.43.118.5 eq smtp access-list 101 permit tcp any host 17.43.118.4 eq www access-list 101 permit tcp any host 17.43.118.4 eq 443 access-list 101 permit tcp any host 17.43.118.243 eq ftp-data access-list 101 permit tcp any host 17.43.118.243 eq ftp
access-group 101 in interface outside