Pages

Thursday, 29 January 2015

More fun with the pix

Now that I'm getting more familiar with the pix, there's one simple rule that I hadn't known before. It's to do with access control lists.

There's three interfaces, inside, dmz and outside. It's pretty obvious what those mean. But there's two directions, incoming and outgoing. You might think that anything going to one of your servers on the inside, must be incoming. But the pix doesn't see it that way.

You have to look at it from the point of view of the pix. If packets are moving from the pix inside interface card, to your inside server, then they're "outgoing", because from the point of view of the pix, that's what they are. And likewise with the other five combinations of inside/dmz/outside and incoming/outgoing. That had me badly confused for a very long time (years and years, actually). But I think I have it clear now.

So I cleared off all the rules that I've been setting up over the last two weeks, and started again. And I now have a much simpler, and (I think) better, configuration. Since the eta for the new line is weeks or months away (because of needing to dig up the road) I can experiment like this.

One of the things that the pix does that makes things easier, is you can define names for things. So, instead of having to refer to 10.12.13.14 I can define that as "mail1". Even better, I can set up groups, so I can define a group "allmails" as being "mail1, mail2, mail3, scrofula and heartburn". Because I know that these are the servers that will be receiving email, so I can set up my access rule with one line instead of five.

Likewise Samba. Samba needs access on  ports 139 and 445. So I've defined "Samba" as being those two, which means that whenever I want a rule about Samba, it's just one rule and not two.

But life wouldn't be complete without a "gotcha", and today's has had me foxed for over a week. It's to do with writing the pix configuration out to a file. One way is display it at a terminal, then cut-and-paste it to a file. But that's getting tedious. And there's a quicker way, tftp, the "trivial ftp" service. I have a tftp server set up, that was easy (courtesy of yum), but I just couldn't make the pix write to it.

Eventually, I discovered two things. The first is that tftp will only overwrite an existing file. It won't create a new file ... unless you change the server_args in the xinetd.d file to be like this:

server_args        = -c -s /home/drsolly/firewall

The -c tells it that it can create a file, and the -s tells it where.

So then you tell the pix what server to write to, which is easy, and then the pix wants to know the path. So, of course, I told it "/home/drsolly/firewall/pix.conf"

Because to me, "path" means the whole thing. But that isn't what is wanted here. The correct reply is "pix.conf"

Once I'd finally understood that, I can now write the configuration to a file. I also wrote the asdm program out to a file ... I wonder if I can send that to the pix515e that doesn't have one?


No comments:

Post a Comment