Solved: FWSM Interface Directions and ACLs

David Rickard · ‎06-11-2010

Hi,

We have a few FWSMs in the core of our network, one which sits in front of all our servers, the other sitting between all our users.

There's various different interfaces on all of them for different types of servers (DMZ, normal stuff, students, etc). We're using CSM to deploy rules to them.

I've had a lot of 'fun' let's say with rules. Most rules are configured with a direction of In, but there's a few rules with an Out direction on interfaces too. The firewalls only went in last year, and we had to be finished quickly, so quite a few ANY ANY IP type rules went in, again some with in and out directions. Some are a bit more specific however.

I've had some really odd seemingly inexplicable results with these rules, and I feel the Out rules may be to blame. Having read through the FWSM documentation, I found this paragraph:

Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the

FWSM can be controlled by attaching an inbound access list to the source interface. Traffic that exits the

FWSM can be controlled by attaching an outbound access list to the destination interface. To allow any

traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM

automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any

interface unless you restrict it using an outbound access list, which adds restrictions to those already

configured in the inbound access list.

The bold is my own highlighting.

It's that last sentence that concerns me. By default the firewall lets nothing in, unless you let it in, but if you DO let something in, it assumes as you let it in, you want it let out on another port. That sentence suggests to me that if I add a single 'Allow' as an Out on an interface let's say, it denies everything else. Or does it? I'm a little confused!

We did some training on the firewalls, but it was all done at rather breakneck speed, and the trainer mentioned something about in and out rules, but I forgot what he said.

What I'd like is to use In rules only as these Out rules are getting a bit confusing, and they're making things unpredictable. I know they do have their uses, but I need to know if there's any gotchas or caveats of using them.

Panos Kampanakis · ‎06-11-2010

What the sentence means is that the FWSM will allow all packets egressing an interfaces unless you have an ACL applied outbound on that interface.

In other words a packet ingressing an interface of the FWSM is denied by default unless an ACL permits it. If there is no inbound ACL the packet is denied.

And a packet egressing an interface is permitted by default unless there is an ACL applied that denies it. If there is no ACL outbound the packet is allowed.

I hope it helps.

PK

View solution in original post

Panos Kampanakis · ‎06-11-2010

What the sentence means is that the FWSM will allow all packets egressing an interfaces unless you have an ACL applied outbound on that interface.

In other words a packet ingressing an interface of the FWSM is denied by default unless an ACL permits it. If there is no inbound ACL the packet is denied.

And a packet egressing an interface is permitted by default unless there is an ACL applied that denies it. If there is no ACL outbound the packet is allowed.

I hope it helps.

PK

David Rickard · ‎06-12-2010

Ah I see.

What I'm getting at is that the functionality isn't like on the acls on switches whereby it's default allow, until you add a rule, then it becomes default deny and you have to allow everything?

I.e, just because I have an Allow on an Out, doesn't mean it's going to deny everything else unless I explicitly enable it.

I think I'm getting it now!

Sorry if this is seemingly obvious stuff.