Re: how to configure outbound acl?

xiaoyaoren · ‎11-13-2003

now i am consolidating the network security,but with a question:

because defaultly the pix firewall permit any protocol from inside to outside,but with a IDQ exploit i can establish a reverse connection with the inside area server,now i should configure some policy limiting protocol from inside to outside,what can i do? how ?

the inside area there is no pc,only some application server,db server the configuration as fallow:

access-list inbound permit icmp any any

access-list inbound permit tcp any host 172.16.25.134 eq www

access-list inbound permit tcp any host 172.16.25.134 eq ftp

access-list inbound permit tcp any host 172.16.25.150 eq www

access-list inbound permit tcp any host 172.16.25.151 eq www

access-list inbound permit tcp any host 172.16.25.152 eq www

access-list inbound permit tcp any host 172.16.25.153 eq www

access-list inbound permit tcp any host 172.16.25.1 eq 9001

access-list inbound permit tcp any host 172.16.25.1 eq 8001

access-list inbound permit tcp any host 172.16.25.2 eq 9001

access-list inbound permit tcp any host 172.16.25.2 eq 8001

access-list inbound permit tcp any host 172.16.25.3 eq 8001

access-list inbound permit tcp any host 172.16.17.170 eq 1888

access-list inbound permit tcp any host 172.16.17.171 eq 1888

access-list inbound permit udp any host 172.16.17.170 eq 1999

access-list inbound permit udp any host 172.16.17.171 eq 1999

access-list inbound permit tcp any host 172.16.17.170 eq 1889

access-list inbound permit tcp any host 172.16.17.171 eq 1889

access-list inbound permit udp any host 172.16.17.201 eq syslog

access-list inbound permit udp any host 172.16.17.200 eq syslog

access-list inbound permit udp any host 172.16.17.201 eq snmptrap

access-list inbound permit udp any host 172.16.17.200 eq snmptrap

access-list inbound permit tcp any host 172.16.17.201 eq 42340

access-list inbound permit tcp any host 172.16.17.201 eq 42341

access-list inbound permit tcp any host 172.16.17.201 eq 42343

access-list inbound permit udp any host 172.16.17.201 eq 42342

access-list inbound permit tcp any host 172.16.25.129 eq www

lwierenga · ‎11-13-2003

Is this your actual ACL configuration with public IP's?

pavlosd · ‎11-16-2003

The access-list you stated above looks like from outside to inside!!! correct? Now if you want to limit from inside to outside, you will have to sort of reverse the above access-list statements.

For example, you said that all your servers are located in the inside. Let's take the example of an FTP server. You expect from that server only to answer to a request on a port 80 or 443, correct?

so an inside to outside access-list would be,

"access-list outbound permit tcp host 172.16.25.150 eq www any"

This avoids traffic from being initiatd from inside, unless it "conforms" to some rules.

Regards.