Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
4
Replies

Stopping server initiating connections

matt-long
Level 1
Level 1

‎08-08-2005 09:47 AM - edited ‎03-09-2019 12:04 PM

I have had a request is a pix firewall can do the following:

There is a pix 515 with a dmz, there is a web server on the dmz.

The client would like the web server to be accessible to connections from the internet and respond to them. However the would like the server not to be able to initiate its own new connections the the internet (all on the http protocol)

The only way I can think to do this would be to put the dmz at a lower security level than the outside interface.

Is there any other way of doing this?????

Thanks

Labels:
0 Helpful
4 Replies 4

mehrdad
Level 3
Level 3

‎08-08-2005 10:22 AM

check this out pls

static (dmz,outside) tcp global_ip 80 dmz_ip 80 netmask 255.255.255.255 0 0

access-list acl_in permit ip any host global_ip eq www

access-group acl_in in interface outside

0 Helpful

maraz
Level 1
Level 1
In response to mehrdad

‎08-08-2005 10:24 PM

Hello,

To disallow connections entirelly from the DMZ you can simply put an access-list "access-list DMZ-list deny ip any any". And of course "access-group DMZ-list in interface DMZ.

Best Regards

Robert Maras

0 Helpful

matt-long
Level 1
Level 1
In response to maraz

‎08-09-2005 12:00 AM

Thanks for these suggestions,

I understand how to use the access-lists to permit acccess from the internet, but the suggests will still allow the server on the DMZ to initiate a connection to the internet.

Basically the theroy is that it some one hacked into the web server they cannot initiate a connection to anywhere else. But with ACLs I cannot see any way of only allowing on going connections. With a router you can use the established keyword in the ACL but there does not seem to be the option in the pix. There is a command established but this seems to be used for something slightly different.

0 Helpful

maraz
Level 1
Level 1
In response to matt-long

‎08-09-2005 12:47 AM

Hello,

Then you have not understod the how PIX behaves. The PIX is a stateful firewall. As I wrote in my previous note and to clarify: The access-list on the outside should like (along with your other lines):

access-list OUTSIDE permit tcp any host WEBSERVER eq 80

This should be placed on the outside-interface.

On the dmz-interface you can have an access-list:

access-list DMZ deny ip any any.

This should be placed on the dmz-interface.

This way you do not allow any initiations of traffic from the dmz.

What happens from the outside is:

A client on the internet is accessing your webserver. The packet is allowed by your outside access-list. The connection is then put in the "connection-table". The return traffic from your webserver is first checked with the connection-table. If there is an initiated traffic from internet your return traffic from the web-server will be allowed. If there is not the traffic will be checked by the access-list on the dmz-interface. This is also known as a "stateful firewall". So, again, if you apply an access-list that drops traffic from the dmz you can never initiate traffic from the dmz. I do not know if I can clarify better than this.

A router with CBAC-funktionality also have the mentioned statefulness as PIX. If you have a router that do not have this funktionality you must use the established keyword. And as you write the established command is something else on the PIX.

Best Regards

Robert Maras

0 Helpful
Customers Also Viewed These Support Documents