We have a few FWSMs in the core of our network, one which sits in front of all our servers, the other sitting between all our users.
There's various different interfaces on all of them for different types of servers (DMZ, normal stuff, students, etc). We're using CSM to deploy rules to them.
I've had a lot of 'fun' let's say with rules. Most rules are configured with a direction of In, but there's a few rules with an Out direction on interfaces too. The firewalls only went in last year, and we had to be finished quickly, so quite a few ANY ANY IP type rules went in, again some with in and out directions. Some are a bit more specific however.
I've had some really odd seemingly inexplicable results with these rules, and I feel the Out rules may be to blame. Having read through the FWSM documentation, I found this paragraph:
Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the
FWSM can be controlled by attaching an inbound access list to the source interface. Traffic that exits the
FWSM can be controlled by attaching an outbound access list to the destination interface. To allow any
traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM
automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any
interface unless you restrict it using an outbound access list, which adds restrictions to those already
configured in the inbound access list.
The bold is my own highlighting.
It's that last sentence that concerns me. By default the firewall lets nothing in, unless you let it in, but if you DO let something in, it assumes as you let it in, you want it let out on another port. That sentence suggests to me that if I add a single 'Allow' as an Out on an interface let's say, it denies everything else. Or does it? I'm a little confused!
We did some training on the firewalls, but it was all done at rather breakneck speed, and the trainer mentioned something about in and out rules, but I forgot what he said.
What I'd like is to use In rules only as these Out rules are getting a bit confusing, and they're making things unpredictable. I know they do have their uses, but I need to know if there's any gotchas or caveats of using them.
What the sentence means is that the FWSM will allow all packets egressing an interfaces unless you have an ACL applied outbound on that interface.
In other words a packet ingressing an interface of the FWSM is denied by default unless an ACL permits it. If there is no inbound ACL the packet is denied.
And a packet egressing an interface is permitted by default unless there is an ACL applied that denies it. If there is no ACL outbound the packet is allowed.
I hope it helps.