07-10-2002 02:41 AM - edited 02-20-2020 10:09 PM
Hi,
I'd like to understand how PIX goes about applying rules on an incoming packet? Is the first rule that matches the packet description applied or does it go to the end of the rule base before making a decision?
Does PIX do any rulebase optimization before applying the rules?
Regards,
Siddhartha
07-10-2002 04:07 AM
PIX access-lists are similar to the router i.e. top-down, if an ACL line is matched it exits the loop and perform the required action (permit/deny) depending on the ACL. Conduits on the other hand are different, it is going to match the best i.e. more specific of all.
HTH
R/Yusuf
07-10-2002 11:45 PM
Typically, I would use 'conduit' for putting rules in the firewall. So does it mean that if my conduit rule base is not optimized by PIX and I have to manually audit my conduit rule base for performance?
07-13-2002 02:51 AM
not sure what you mean by optimization using conduits.
What i mean is if you use conduits, the arriving packet will checked for the best match in the conduit, but if it was ACL, then it would just use top-down, as soon as it hits a macth, no further lookup.
eg;
packet arrives with a source address of 1.1.1.1
and we have following conduits
conduit deny tcp any 1.1.1.0 255.255.255.0
conduit permit tcp any host 1.1.1.1
in the above case, we will match the 2nd line, since it is best match, more specific. But if we had same scenario in ACL;
access-list 101 deny tcp 1.1.1.0 255.255.255.0 any
access-list 101 permit tcp host 1.1.1.1 any
in ACL above, we will match 1st line, and exit the loop.
Hope that clarifies. So if you conduits, more specific match will be pciked, with ACL, top-down.
HTH
R/Yusuf
07-14-2002 08:20 PM
By optimization, what I mean is that Sonicwall puts the rules in a proper sequence even if you enter then randomly, so that the firewall does not have to go till the last rule to make a decision for every packet. This means more specific rules are put before the generic rules automatically by the firewall.
Understanding the Access Rule Hierarchy
The rule hierarchy has two basic concepts:
1. Specific rules override general rules:
An individual service is more specific than the Default service.
A single Ethernet link, such as LAN or WAN, is more specific than * (all).
A single IP address is more specific than an IP address range.
2. Equally specific Deny rules override Allow rules.
Rules are displayed in the Current Network Access Rules list from the most specific to the least specific, and rules at the top override rules listed below.
Could you also tell me what are the differences between access-lists and conduits?
TIA,
Siddhartha
07-14-2002 11:48 PM
On PIX, rules (i.e. conduits or ACL) are appened at the end, the last line you had, they are not re-hashed or re-arranged automatically, they stay in the order you entered.
Conduits and ACL are 2 different ways to configure access i.e. permit/deny statements. Conduit is older way of doing it, and ACL is the newer way and same as that on the router. The conduit or access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host is connecting to a higher security host. The conduit or access-list command is based on both port and protocol; it can be very permissive or very restrictive, depending on what the system administrator wants to achieve
More
http://www.cisco.com/warp/public/707/28.html
HTH
R/Yusuf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide