Outbound/Apply
The outbound and administer commands ascendancy what cartage is accustomed to avenue the network.
The outbound command alone identifies cartage to be acceptable or denied.
The administer command puts the outbound account on an interface and absolutely causes
packets to be dropped.The aboriginal footfall to ascendancy outbound cartage is configuring
outbound to analyze the cartage to be filtered.The syntax for the outbound command
is:
outbound
[
The list_id is an identifier that maps the cartage articular by the outbound
command to the administer command; list_id charge be a cardinal amid 1 and 99.
The admittance or abjure keywords specify whether the cartage articular by the outbound
command will be acceptable or denied, respectively.The ip_address parameter
specifies the cartage to be articular by the outbound command.The netmask
parameter is acclimated in affiliation with the ip_address constant to analyze target
IP abode ranges.The anchorage constant specifies a specific anchorage cardinal or ambit to
be articular by the outbound command.The agreement constant identifies specific
protocols (tcp, udp, etc.) and is affected to be ip if it is not specified.
The additional footfall is to administer the outbound account to an interface application the apply
command. Once activated to an interface, any approachable cartage to that interface is
denied by the associated outbound account will be dropped.The syntax for the apply
command is as follows:
apply [(
www.syngress.com
110 Chapter 3 • Passing Traffic
The interface_name constant identifies the interface on which cartage will be
filtered with the associated outbound list. If no interface is specified, it defaults to
the alfresco interface.The list_id constant names the outbound account to use for filtering
outbound traffic. Unlike admission lists, assorted outbound lists can be applied
to an interface.These lists are candy starting at the everyman cardinal and
working upwards.This account is apprehend top to bottm and is cumulative.
The outgoing_src or outgoing_dest keywords ascertain how the administer command
uses the outbound list. If outgoing_src is used, the ip_address is a antecedent address. If
outgoing_dest is used, it is a destination address.
Returning to Secure Corp., the aggregation has absitively to bind admission from
its networks to the Internet.To ascendancy what advisers can access, the company
has absitively to abjure all packets from the aggregation to echo, chargen, and abandon services
on the Internet.They chose these ports because they are accepted ports for
attacking Internet servers.There is no acumen an agent should charge admission to
these casework on an alfresco host.
To achieve this task, actualize an outbound list. Configure this account to allow
all cartage through. Next, ascertain rules that abjure admission to the specific services.
Finally, administer the outbound account to an interface.The commands to achieve these
tasks are as follows:
PIX1(config)# outbound 20 admittance 0.0.0.0 0.0.0.0 0
PIX1(config)# outbound 20 abjure 0.0.0.0 0.0.0.0 echo
PIX1(config)# outbound 20 abjure 0.0.0.0 0.0.0.0 discard
PIX1(config)# outbound 20 abjure 0.0.0.0 0.0.0.0 chargen
PIX1(config)# administer (inside) 20 outgoing_src
Unfortunately, alike afterwards demography all these precautions, the aggregation receives a
complaint that an agent is attempting to admission a server on the Internet that
they should not.The IP abode of the Internet server that is actuality illegally
accessed is 10.10.1.10. A new outbound aphorism needs to be created. Since the company
can’t amount out which agent is causing the problem, instead of filtering
traffic by the antecedent address, use the administer command to clarify by the destination:
PIX1(config)# outbound 30 admittance 0.0.0.0 0.0.0.0 0
PIX1(config)# outbound 30 abjure 10.10.1.10 255.255.255.255 0
PIX1(config)# administer (inside) 30 outgoing_dest
www.syngress.com
Passing Cartage • Chapter 3 111
Another way to achieve this is to use the outbound command with the
except keyword.The except keyword reverses the outbound account administration for the
specified IP address. For example, if the aphorism defined antecedent addresses, except
would accomplish a specific destination be denied. In the above-mentioned example, instead of
creating a new outbound list, we could add an except constant to outbound list
20:
PIX1(config)# outbound 20 except 10.10.1.10 255.255.255.255 0
To verify your configuration, use the appearance outbound [list_id] command.
NOTE
It ability be adorable to block Java applets or ActiveX cipher arriving
from the Internet. The PIX supports this functionality. For more
information, accredit to Chapter 4, which provides abundant information
on URL, Java, and ActiveX filtering.