So with the ever increasing number of ports that i would like to block from my students I'm wondering if there is a way to block all, then only allow the ones that are necessary. I'm fairly new to this so forgive me if this idea is really stupid.
Right now I have way too long of an access list on my router (really hurting performance) and I would like to block on my PIX 515 instead.
Yes, permit only what you want and deny the rest. Remember, access-lists are read top to bottom. Place the permits at the beginning and deny at the end. And yes, off load that work to your PIX. With the PIX it will deny by default all inbound traffic from a lower security interface to a higher security interface not specifically permitted (and logs it by default).
eg. access-list permit tcp any any eq 80
access-list permit tcp any any eq 25
access-list permit tcp any any eq 21
access-list deny ip any any (not necessary to add but add it anyway, also you may want to add "log" at the end if a router).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...