Okay this question is kind of a double-shot. One thing you need to know before you read this is that my background is iptables on Linux.
Now, question 1: Let's say I've got a 3-interface firewall, one external interface, one DMZ, and one private LAN. Let's say packet A comes in on the outside interface destine for a box in my DMZ (and we can assume that the proper translations take place). The packet comes in the PIX, hits the ACL(s) on the outside inteface first, right? Then it's translated and goes out the DMZ interface... correct? Does it hit the ACL(s) on the DMZ interface after it's translated before it goes on to the next hop or whatever is after the PIX?
Question 2: Let's take the above setup for example. Let's say I'm on a box in the DMZ. I try to go out to an IP address that will have to be routed out the outside interface. Let's say I'm sending TCP data on port 80 for simplicity. So with that said, the destination port will be 80, and the source port will be something else. When I hit the PIX, I'll be hitting the DMZ interface first, so the ACL(s) get applied there, correct? When a packet hits an interface, how does the PIX know if it should apply an ACL to it or not? For example, I don't want the same ACL(s) applied to data going out to the internet that I do data coming in from the internet going to a box in my DMZ, even though both packets will have a destination port of 80 (in this example).
Does that make sence? Any tips for me to understand this? The way it's done in iptables is it's dependent upon which chain it's in as to what it's function is and when it's applied, not to mention which interface it is applied to which is supplyed during the entries into the tables (such as iptables w/ -i eth0 option for example).
-Chris (ee99ee)