I'd like to understand how PIX goes about applying rules on an incoming packet? Is the first rule that matches the packet description applied or does it go to the end of the rule base before making a decision?
Does PIX do any rulebase optimization before applying the rules?
PIX access-lists are similar to the router i.e. top-down, if an ACL line is matched it exits the loop and perform the required action (permit/deny) depending on the ACL. Conduits on the other hand are different, it is going to match the best i.e. more specific of all.
Typically, I would use 'conduit' for putting rules in the firewall. So does it mean that if my conduit rule base is not optimized by PIX and I have to manually audit my conduit rule base for performance?
not sure what you mean by optimization using conduits.
What i mean is if you use conduits, the arriving packet will checked for the best match in the conduit, but if it was ACL, then it would just use top-down, as soon as it hits a macth, no further lookup.
packet arrives with a source address of 188.8.131.52
and we have following conduits
conduit deny tcp any 184.108.40.206 255.255.255.0
conduit permit tcp any host 220.127.116.11
in the above case, we will match the 2nd line, since it is best match, more specific. But if we had same scenario in ACL;
access-list 101 deny tcp 18.104.22.168 255.255.255.0 any
access-list 101 permit tcp host 22.214.171.124 any
in ACL above, we will match 1st line, and exit the loop.
Hope that clarifies. So if you conduits, more specific match will be pciked, with ACL, top-down.
By optimization, what I mean is that Sonicwall puts the rules in a proper sequence even if you enter then randomly, so that the firewall does not have to go till the last rule to make a decision for every packet. This means more specific rules are put before the generic rules automatically by the firewall.
Understanding the Access Rule Hierarchy
The rule hierarchy has two basic concepts:
1. Specific rules override general rules:
An individual service is more specific than the Default service.
A single Ethernet link, such as LAN or WAN, is more specific than * (all).
A single IP address is more specific than an IP address range.
2. Equally specific Deny rules override Allow rules.
Rules are displayed in the Current Network Access Rules list from the most specific to the least specific, and rules at the top override rules listed below.
Could you also tell me what are the differences between access-lists and conduits?
On PIX, rules (i.e. conduits or ACL) are appened at the end, the last line you had, they are not re-hashed or re-arranged automatically, they stay in the order you entered.
Conduits and ACL are 2 different ways to configure access i.e. permit/deny statements. Conduit is older way of doing it, and ACL is the newer way and same as that on the router. The conduit or access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host is connecting to a higher security host. The conduit or access-list command is based on both port and protocol; it can be very permissive or very restrictive, depending on what the system administrator wants to achieve
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...