Re: zone-based FW: "pass" means one-way or two? from ALL From_NJ on 2009-11-06 (Ccielab archives 11/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Fri, 6 Nov 2009 15:45:03 -0500

In addition to what has been written ...

I may be mistaken, however, I believe the pass option means that this
particular traffic will be permitted or filtered by an access list or other
means. Traffic will not simply pass from one zone to the other, ... but
will be checked with another means ... - access lists.

If you have pass listed for a class and no access-lists, will it simply
allow the traffic between zones? ... I do not think so. I may be wrong about
this as I only labbed this a few weeks ago and may be getting this confused
in my head. I would be interested to hear anyone's thoughts ...

Andrew Lee Lissitz

On Fri, Nov 6, 2009 at 3:38 PM, Gavin Schokman <g_schokman_at_yahoo.com.au>wrote:

> Nice one, Piotr. That's the one bit of information that is missing from
> anywhere in the DocCD config guides, command references, etc.
> Shame it's quite an important bit :|
>
> Thanks for the help!
>
> Cheers,
> Gavin
>
>
> _____
>
> From: Piotr Matusiak [mailto:piotr_at_ccie1.com]
> Sent: 06 November 2009 20:31
> To: Gavin Schokman
> Cc: ccielab_at_groupstudy.com
> Subject: Re: zone-based FW: "pass" means one-way or two?
>
>
> Gavin,
>
> The "pass" action does not have any stateful capability, so that it won't
> open any dynamic holes for returning traffic.
> It is useful when you use SELF zone and want to "pass" traffic destined or
> originated from the router without any inspection.
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
> Technical Instructor
> MicronicsTraining.com
>
> "If you can't explain it simply, you don't understand it well enough" -
> Albert Einstein
>
>
>
> 2009/11/6 Gavin Schokman <g_schokman_at_yahoo.com.au>
>
>
> Hi GS'ers,
>
> Doing a lab excerise and hitting some unexpected behaviour here with
> zone-based firewall.
> I've got the following config defined on my firewall router
>
> !! traffic def's
>
> class-map typ inspect match-all HTTP
> match protocol http
>
> class-map type inspect FTP
> match protocol ftp
>
> class-map type inspect DNS
> match protocol DNS
>
> class-map type inspect H323
> match protocol h323
>
> class-map type inspect TELNET
> match protocol telnet
>
> ! policies
>
> policy-map type inspect INSIDE->OUTSIDE
> class type inspect HTTP
> pass
> class type inspect FTP
> pass
> class type inspect DNS
> pass
> class type inspect H323
> pass
> class type inspect TELNET
> inspect
> class class-default
> drop
>
> policy-map type inspect OUTSIDE->INSIDE
> class class-default
> no drop
>
> zone security INSIDE
>
> zone sec OUTSIDE
>
> zone-pair sec OUTSIDE->INSIDE sou OUTSIDE dest INSIDE
> service-p type inspect OUTSIDE->INSIDE
>
> zone-pair sec INSIDE->OUTSIDE sou INSIDE dest OUTSIDE
> service-p type inspect INSIDE->OUTSIDE
>
>
> !! bind interfaces
>
> int se1/0
> zone-m sec OUTSIDE
>
> int fa0/0
> zone-m sec INSIDE
>
>
> R5 ----- R6 ----- BB1
> R5 is inside, R6 is the firewall router & BB1 on the outside
>
> BB1 is has telnet & http server enabled.
>
> Trying to telnet to BB1 from R5 works with the "inspect" option configured.
> The forward traffic is allowed through, as is the return traffic.
> However, http connections (which has the "pass" option) are not working.
> Traffic in the forward direction, i.e. R5 -> BB1 works (witnessed via "deb
> ip packet" on BB1), but it seems the return traffic is being blocked by R6.
>
> My understanding of the "pass" & "inspect" options in zone-based FW, is
> that
> they both allow forward traffic out and dynamically create a rule to allow
> the return traffic. Also, DocCD states:
> -- quote
> If a policy is not configured between a pair of zones, traffic is dropped.
> However, it is not necessary to configure a zone-pair and a service policy
> solely for return traffic. Return traffic is allowed, by default, if a
> service policy permits the traffic in the forward direction. In the above
> example, it is not mandatory that you configure a zone-pair source Z2
> destination Z1 solely for allowing return traffic from Z2 to Z1. The
> service
> policy on the Z1-Z2 zone-pair takes care of it.
> -- end quote
>
>
> Can someone help shed some light on what is expected behaviour for the
> "pass" option?
>
> Thanks
>
> Kind regards,
> Gavin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Fri Nov 06 2009 - 15:45:03 ART

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART