Selective Java applet blocking by external address with PIX?

bhockenhull · ‎04-16-2003

I'm trying to implement Java applet blocking on my PIX, and I'm looking for a way to be more selective about how i do it.

According to the documentation, I can permit certain internal addresses to get Java applets from the outside, but it doesn't seem that I can permit all internal addresses to get Java applets only from certain external addresses.

I can do this (but would prefer not to) at my border router with CBAC using access lists, but the same functionality doesn't seem to be present in the PIX.

yizhar · ‎04-16-2003

HI.

Did you read this:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#1039734

According to the above document, you can specify either internal and/or external addresses in the "filter java" command. Did you try it?

What is your pix OS version?

What is the exact command that you try?

Yizhar

bhockenhull · ‎04-16-2003

I saw that, but I can't translate that into what I want to do. Maybe I'm missing something.

What I want to do is to deny Java applets from all foreign hosts except fro those I define as friendly. Using CBAC, I'd set up a java access list along these lines:

access-list XX permit 12.0.3.0 0.0.0.255

access-list XX deny any

Which would allow Java applets from 12.0.3.0/24 but deny them from everyone else.

If I could use the filter java command to filter all java *except* certain stuff, that'd be perfect.