Pix ACLs


the pix/asa above 7.x can filter on egress and igress

but what is the drawback with filtering just egress-only? (if you have more interfaces igress and egress filter is imho a pain)


Reply to
Carsten Luegner
Loading thread data ...

It all depends on _what_ you are trying to accomplish.

Ingress filtering can protect the PIX/ASA as well as machines behind it.

Ingress filtering lets you trivially filter on where packets come _from_. Egress filtering lets you trivially filter on where packets are going _to_.

Ingress and egress filtering occur on opposite sides of the 'routing' decision, and it may be practical to make use of that difference to simply the actual filters.

e.g. if you have 3 separate exit paths from the local network, and you have traffic that you do not want to -- under *any* conditions -- leave the local network, then this can be accomplished by =one= ingress filter on the PIX port connected to the LAN. OTOH, doing it with egress filters, _while_practical_, requires an egress filter on *each* exit path. And, to be 100% effective they _all_ have to be "exactly right". Getting _three_ things 'exactly right' -- and *keeping* them that way as the world changes out from under you -- *is* , obviously, harder, more difficult, and more time-consuming (both to 'do', and to 'verify' correctness) than is changing -one- (ingress) rule.

I use ingress rules to filter stuff where the filter action does -not- depend on the routing action -- e.g. stuff that should 'never' go -- anywhere, and egress rules for stuff that is 'ok' some places, but NOT in ohers.

YMMV -- and probably *WILL* -- depending on exactly _what_ filtering you are actually doing, and what the 'trust' relationship is between stuff on various interfaces of the PIX/ASA.

Reply to
Robert Bonomi

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.