As I have muddled through setting up and working on a firewall, I have a couple questions:
1. When you create a inbound (incoming) rule (for example permitting http traffic) from a lower security interface (DMZ) to a higher security interface (inside), do you need to have a rule on the 'inside' interface in the outbound direction to allow the http traffic through? Or does the incoming rule on the lower security interface (DMZ) take care of that? Maybe my question is really, is there an implied outgoing ACL on the inside interface that would stopped traffic coming from a DMZ interface?
2. When you apply rules to an interface, where is the best place to apply them - incoming or outgoing? I am assuming closest to the sending device correct?
"access-list DMZ_access_in extended permit tcp any any eq www
will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?"
If the acl DMZ_access_in is applied inbound to the DMZ interface then yes the above would allow http traffic from any device in the DMZ to any device on the inside.
"or a lower security interface for that matter)"
yes, but note that you wouldn't need an acl if you just wanted to allow traffic from the DMZ to a lower security interface.
"Sorry for all the questions, I just want to be sure I have a clear understanding."
No need to apologise, this is what NetPro is for. Feel free to ask as many questions as you want :-)