Is a "deny any any" the default or are CISCO lying

[ianbla]

I still have Conduit statements on my PIX, I know I should turn them into access-lists but it keeps giving me a headache everytime I try and work them out.

My question is this: In the command reference manual v6.1 (sec 3-19), it states;

For example; CONDUIT DENY TCP ANY ANY

"This command is the default condition for the Conduit command in that all ports are denied unlil explicitly permitted"

I have looked at the traffic passing through from outside > inside and there is traffic passing through that I haven't set a conduit for, this is very worrying.

Is the statement made by CISCO false?

Please help, many thanks
Ian.

 

[baddos]

Depending on the PIX OS code you are using, yes it will deny all incoming traffic by default. Any conduit's or access-lists open it up.

I think it's like PIX 4.0 or something were they started the default of deny.

 

[themut]

Is the traffic allowed a reply from an inside reply? Are you able to see the SYN packet passing thorugh the PIX from the outside?

 

[baddos]

Yes... connections established from the inside to the outside is allowed by default.

 

[ianbla]

Does a conduit statement take effect straight away or do I have to do something silly like diable and then re-enable the interface?

 

[baddos]

conduits should work right away. You might have to do a "clear xlate" if you have troubles though.

You should really look into making access-lists rather than conduits. The access-lists are much faster.

 

[ianbla]

I have the following conduit statement

conduit deny tcp any eq ftp any

but everybody on the inside network can FTP as much as they like.

 

[baddos]

conduits are for inbound (outside coming in) only. You would have to create an access-list or an outbound.

I.E.

access-list 101 deny tcp any any eq ftp
access-list 101 permit ip any any

access-group 102 in interface inside

This will block outgoing ftp from your inside interface, but allow everything else to go out.

 

[ianbla]

Is the only way to limit FTP access to introduce access-list's?

How was it done before access-list's?

cheers
Ian.

 

[ianbla]

If I do not already have an access-list allowing FTP access, shouldn't it be denied by default?

 

[baddos]

By default traffic moving from a higher security interface to a lower sercurity interface is allowed. A lower security interface cannot access a higher security interface without using a conduit or access-list.

 

[havanajoe]

Not for outbound traffic. Cisco's basis is to allow anything out and nothing in.

Conduit statements allow for traffic to come inside, access-lists can be used both ways. You can leave your conduit statements in for your inbound traffic and add something like this (change as required)

access-list outbound permit tcp any any eq 80

access-group outbound in interface inside

this will let anyone on the inside out on port 80 and then deny everything else from going out.

 

[yizhar]

HI.

> Is the only way to limit FTP access to introduce access-list's?
> How was it done before access-list's?
In earlier versions of the pix (4.x) it was done with the "outbound" and "apply" commands.
These are obsolute now, but I think that the pix still support them for backward compatibility.
Do not use these commands - use access-list instead.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar