RE: zone-based FW: "pass" means one-way or two? from Gavin Schokman on 2009-11-06 (Ccielab archives 11/2009)

From: Gavin Schokman <g_schokman_at_yahoo.com.au>
Date: Fri, 6 Nov 2009 20:45:14 -0000

Yup, that's logical. Makes sense once we know "inspect" is stateful, whereas
"pass" is not :)

Cheers,
Gavin

-----Original Message-----
From: Cristian Matei [mailto:cristian.matei_at_datanets.ro]
Sent: 06 November 2009 20:40
To: 'Piotr Matusiak'; 'Gavin Schokman'
Cc: ccielab_at_groupstudy.com
Subject: RE: zone-based FW: "pass" means one-way or two?

Hi Gavin,

Also, except the fact that the "pass" action is unidirectional take
care at the following: if u have 2 zones, inside and outside and configure a
"pass" action from inside to outside for http traffic, in order for the
return traffic to be allowed MAKE SURE that the return traffic matches a
"pass" action as well and NOT and "inspect" action; if it matches an inspect
it will get dropped (basically you can see the statements inside the
policy-map like ACE inside an ACL with top-down processing).

Regards,
Cristian.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Piotr Matusiak
Sent: Friday, November 06, 2009 10:31 PM
To: Gavin Schokman
Cc: ccielab_at_groupstudy.com
Subject: Re: zone-based FW: "pass" means one-way or two?

Gavin,

The "pass" action does not have any stateful capability, so that it wont
open any dynamic holes for returning traffic.
It is useful when you use SELF zone and want to "pass" traffic destined or
originated from the router without any inspection.

HTH,

--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2009/11/6 Gavin Schokman <g_schokman_at_yahoo.com.au>
> Hi GS'ers,
>
> Doing a lab excerise and hitting some unexpected behaviour here with 
> zone-based firewall.
> I've got the following config defined on my firewall router
>
> !! traffic def's
>
> class-map typ inspect match-all HTTP
>  match protocol http
>
> class-map type inspect FTP
>  match protocol ftp
>
> class-map type inspect DNS
>  match protocol DNS
>
> class-map type inspect H323
>  match protocol h323
>
> class-map type inspect TELNET
>  match protocol telnet
>
> ! policies
>
> policy-map type inspect INSIDE->OUTSIDE  class type inspect HTTP  pass  
> class type inspect FTP  pass  class type inspect DNS  pass  class type 
> inspect H323  pass  class type inspect TELNET  inspect  class 
> class-default  drop
>
> policy-map type inspect OUTSIDE->INSIDE  class class-default  no drop
>
> zone security INSIDE
>
> zone sec OUTSIDE
>
> zone-pair sec OUTSIDE->INSIDE sou OUTSIDE dest INSIDE  service-p type 
> inspect OUTSIDE->INSIDE
>
> zone-pair sec INSIDE->OUTSIDE sou INSIDE dest OUTSIDE  service-p type 
> inspect INSIDE->OUTSIDE
>
>
> !! bind interfaces
>
> int se1/0
>  zone-m sec OUTSIDE
>
> int fa0/0
>  zone-m sec INSIDE
>
>
> R5 -----  R6 ----- BB1
> R5 is inside, R6 is the firewall router & BB1 on the outside
>
> BB1 is has telnet & http server enabled.
>
> Trying to telnet to BB1 from R5 works with the "inspect" option
configured.
> The forward traffic is allowed through, as is the return traffic.
> However, http connections (which has the "pass" option) are not working.
> Traffic in the forward direction, i.e. R5 -> BB1 works (witnessed via 
> "deb ip packet" on BB1), but it seems the return traffic is being 
> blocked by
R6.
>
> My understanding of the "pass" & "inspect" options in zone-based FW, 
> is that they both allow forward traffic out and dynamically create a 
> rule to allow the return traffic. Also, DocCD states:
> -- quote
> If a policy is not configured between a pair of zones, traffic is dropped.
> However, it is not necessary to configure a zone-pair and a service 
> policy solely for return traffic. Return traffic is allowed, by 
> default, if a service policy permits the traffic in the forward 
> direction. In the above example, it is not mandatory that you 
> configure a zone-pair source Z2 destination Z1 solely for allowing 
> return traffic from Z2 to Z1. The service policy on the Z1-Z2 
> zone-pair takes care of it.
> -- end quote
>
>
> Can someone help shed some light on what is expected behaviour for the 
> "pass" option?
>
> Thanks
>
> Kind regards,
> Gavin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Fri Nov 06 2009 - 20:45:14 ART

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART