specifically regarding PIX
Object groups do make ACL management a whole lot easier, but you're
still stuck specifying hosts or contiguous networks within the group,
you can't just put in a range like 192.168.10.15-28 that doesn't
summarize nicely.
On 3/28/07, Fetch, Brandon <bfetch@tpg.com> wrote:
>
>
>
>
> Object groups is where I was headed. The groups can take on networks,
> hosts, ports and can then be used in place of where an ACL would go.
>
>
>
> I happen to use object groups to define a block of allowed inbound sources
> and use that to define the ACL as the source.
>
> Keeps me from having to selectively manage an ACL. The ACL stays put and I
> merely mange the group.
>
>
>
> HTH,
>
> Brandon
>
>
>
> ________________________________
>
>
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On
> Behalf Of Jason Gervia
> Sent: Tuesday, March 27, 2007 3:48 PM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] IP Ranges
>
>
>
>
> Hello,
>
> In regards to cisco PIX - there's no real way to specify a 'range' option
> with regards to IP addresses. I'd suggest trying object groups and
> specifying which hosts you would like.
>
> In IOS, you could potentially use subnet masks that specified 2,4,8,16, etc
> hosts to get the equivalent of a range, but I believe the stateful
> firewalling that is part of the pix won't allow that (it will deny
> src/destinations of networks or broadcast networks).
>
> I agree, it would be a great thing for cisco to add in a later code
> release. Unfortunately it's not here yet.
>
>
>
> --Jason
>
>
> On 3/26/07, Sergio Pozo Hidalgo <sergio@lsi.us.es> wrote:
>
> Hi all,
> I have been searcing in the list and in google about how to specify ip
> ranges in different low level firewall languages.
>
> I have read that it is possible to do that with iptables using
> --ip-range parameter. But I could'nt find any information reagarding PIX
> or PF using a syntax like iptables one.
> I know it is possible to specify contiguous and non-contiguous ip ranges
> using subnets (Subnet Calculator is a good application for that), and a
> combination of deny and permit rules. But the question is if there is a
> way to specify a range using the easy-to-use format of iptables:
> 192.168.0.1-192.168.2.20 (I know there is a mix of subnets...)
>
> Thank you very much in advance.
> Best regards,
>
> --
> Sergio Pozo Hidalgo
> Quivir Research Group <www.lsi.us.es/~quivir>
> University of Seville (Spain)
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action
> concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
--
-Karl
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|