Pix Blocking a domain??

In article , Lalo wrote: :I started to receive attacks on a web server :that look like this

:

resolves to 127.0.0.1 for me, so I can't see the content you are pointing to.

Possibly the admins of instituto.com.br have changed the IP address to deflect further DoS attacks?

:I have a Pix version 6.3(1) in front of this web servers.

You should upgrade to 6.3(4) as 6.3(1) and 6.3(3) have known security problems and 6.3(2) was withdrawn. The upgrade to 6.3(4) is free if you have 6.3(x).

:Can I write an acces-list that look something like this

:access-list outside deny

any

Not really. The PIX will not resolve IP addresses. If

-happens- to have a single IP (say,

200.245.83.2), then you could

name 200.245.83.2

access-list outside deny ip host

any

But be careful that you don't confuse yourself: in that context,

is just a -label- for the IP address, and if the IP address changes then your rules will -not- adapt to the new IP. In particular, if you

no name 200.245.83.2

name 200.245.83.83

then the ACL entry will continue to use the old IP address: the label is for human convenience, not what is used internally.

If there are multiple IPs, or if you anticipate that the IP might change, then it is better (PIX 6.2 onward) to use an object-group:

object-group network instituto_hosts description

DoS attacks! network-object host 200.245.83.2 network-object host 200.245.83.83

access-list outside deny ip object-group instituto_hosts any

You can add or remove things from object groups and the change will be immediately reflected in all ACL entries that reference the object group (though it might take a moment to recompile the entries if you are using compiled acls.) And an object-group can reference several items at once, whereas a 'name' can only reference a single thing.