PIX has a feature called implicit rule. When there is no acceslist, outside traffic from a interface with a higher security-level is allowed to a lower security-interface. But traffic from a lower security-level to a higher securitylevel is not allowed ( unless it was initiated from higher interface).
But if I want to add some rules to this setup, the implicit-rule is no longer availble ( because implicit rules are only available when there on acceslist) It seems not possible to add an implicit rule by hand ( correct?)
also a rule like permit DMZ tcp any any, would give dmz also acces to inside So i have block acces from DMZ to inside first and then allow DMZ acces outside
At the moment i'm working with a few vlan interfaces, so a lot of work to get the above described setup working, without making errors
I'm thinking of creating a network-object wich contains al my internal (public IP) networks, deny all acces to these networks, then allow acces to outside from these networks, apply this to all my interfaces And put all my exeptions before these lines.
I hope this setup will be less error prone, I know myself forgetting a smal thing.
Dont know how an interface will react if a network-object contains also his own interface, and disable acces to it.
Is this a good setup? Are there better ideas? Or is it possible to make acceslist like: allow trafic from interface-x to interface-y (based only on interfaces, not on IP)
Any suggestions are helpfull.