default denies everything

All real firewalls, Sonic, Pix, WatchGuard, Netscreen, etc... come with options you can pre-load into the appliance that will make your life easier and provide you with basic outbound services while blocking all inbound services. At the same time, there is nothing that says you have to use those pre-configured options when you setup the firewall. I never use the default configured options, and everything is blocked in/out when I start.

Reply to
Leythos
Loading thread data ...

Sam, any firewall can do that, if you look at Sonic, Pix, Netscreen, WatchGuard... You can configure them all to only pass the traffic (port/prot) you want in the direction you want.

Reply to
Leythos

Hi,

Recently I would like to propose a firewall to a customer, and my suggestion is use a firewall architecture which capable with default denies everything.

I read somewhere mentionted that Cisco PIX does not have denies everything by default. Checkpoint does.

My client is currently using SonicWall. I wonder whether SonicWall can implement a rull to default denies everything?

Thanks sam

Reply to
sam

Then that article is misleading, to say the least.

Quote from

formatting link
# By default, all connections initiated on a network with a higher # security level are allowed out, and you configure any restrictions # required. You can control outbound access by IP address and protocol # port, or combine access control with user authentication, as # described in " Using Authentication and Authorization." If you are # not enforcing restrictions on outbound network traffic, outbound # access lists are not required.

# An outbound access list lets you restrict hosts from starting # outbound connections or lets you restrict hosts from accessing # specific destination addresses or networks. Access lists work on a # first-match basis, so for outbound access lists, you must permit # first and then deny after.

PIX has a strange mixture of security levels and ACLs. I would forget about security levels, and use ACLs, however, do not give two interfaces the same security level, as I seem to remember that will prevent the two interfaces from talking to eachother.

Reply to
Stig Sandbeck Mathisen

Correct, the PIX default is based on the security levels on the "inside" and "outside" interfaces. Everything is allowed to be initiated from the inside, and nothing is allowed from the outside. ....keeping state, of course.

And for $DEITY's sake, turn off the SMTP helper.

Reply to
Stig Sandbeck Mathisen

Sorry my statement mis-understood you. I don't meant use the pre-load setting in the appliance. I would like block everything first, then gradually pass in services that I m interested in. eg. Deny in all Pass out all Pass in from any to any 25

The above rules only pass in smtp traffic and allow all outbound traffic.

I read an article mentioned that Cisco PIX cannot do so.

sam.

Reply to
sam

Yes, all commercial fw can do that, it is just a matter whether it is elegant or not. Correct me if I m wrong (and give example), In PIX one need to specifically deny traffic that we don't want.

Sam.

>
Reply to
sam

sam wrote on Tue, 08 Mar 2005 21:43:36 +0800:

Funny, my PIX 515 does.

By default, so long as you correctly set the security number on the interfaces properly (ie. 0 on the WAN facing interface, 100 on the internal interface, and intermediate numbers on any other interfaces) then the default for the PIX is to deny all traffic from the WAN(outside) interface incoming, and to allow all outgoing connection from the inside interface. Other interfaces depend on the number given to them (as already pointed out by Stig), but by default NOTHING is allowed to make an connection into the internal interface.

For your example of allowing all out, and only smtp in, you would only need to create a single ACL allowing the smtp port and apply it to the outside interface.

Dan

Reply to
Spack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.