pix Rule

SaigonK

Diamond Member
Aug 13, 2001
7,482
3
0
www.robertrivas.com
So i am finally going to start messing with my new PIX here, and i am looking for some tips..

What i need to do is the following:

I need to block the following IP's:

218.17.217.106
219.133.40.95
219.133.40.97,
219.133.40.157,
219.133.40.177,
219.133.40.73,
219.133.40.189
218.18.95.153
218.17.209.23
202.104.129.253
218.17.209.42
sz.tencent.com 61.144.238.145
sz2.tencent.com 61.144.238.146
sz3.tencent.com 202.104.129.251
sz4.tencent.com 202.104.129.254
sz5.tencent.com 61.141.194.203
sz6.tencent.com 202.104.129.252
sz7.tencent.com 202.104.129.253

On ports 80/443/8000/8001 (TCP and UDP)

whats the easiest way to create a group for all of these IP's.
I already created my TCP/UDP group for these ports, but now I am looking for the easiest way to add the multiple hosts

 

Rogue

Banned
Jan 28, 2000
5,774
0
0
From my reading, the PIX will expand the groups into actual single ACL entries by itself though. It may be eaiser to work with using groups, however, it doesn't save you anything resource wise is my understanding. I would just write a straight ACL for those entries and avoid groups, but that's me and I'm weird like that. I don't like groups because I forget what I put in them eventually. ;)
 

SaigonK

Diamond Member
Aug 13, 2001
7,482
3
0
www.robertrivas.com
Actually i figured it out how i need it anyway...


object-group network Tecent

network-object 61.144.238.145 255.255.255.255
network-object 61.144.238.146 255.255.255.255

network-object 202.104.129.251 255.255.255.255
network-object 202.104.129.254 255.255.255.255
network-object 61.141.194.203 255.255.255.255
network-object 202.104.129.252 255.255.255.255
network-object 202.104.129.253 255.255.255.255
network-object 218.17.217.106 255.255.255.255
network-object 219.133.40.95 255.255.255.255
network-object 219.133.40.97 255.255.255.255
network-object 219.133.40.157 255.255.255.255
network-object 219.133.40.177 255.255.255.255
network-object 219.133.40.73 255.255.255.255
network-object 219.133.40.189 255.255.255.255
network-object 218.18.95.153 255.255.255.255
network-object 218.17.209.23 255.255.255.255
network-object 218.17.209.42 255.255.255.255

Does what i need. :)
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: Rogue
From my reading, the PIX will expand the groups into actual single ACL entries by itself though. It may be eaiser to work with using groups, however, it doesn't save you anything resource wise is my understanding. I would just write a straight ACL for those entries and avoid groups, but that's me and I'm weird like that. I don't like groups because I forget what I put in them eventually. ;)

that's absolutely correct.

and can cause major problems. Say for instance you have a group with 100 hosts that you put in a group. Then you make what looks like 1 single access list using that host group with a protocol group that contains 10 ports.

Its deceptive because it looks like only one line. It is actually 100*10 lines or 1000 lines.

it can get real hairy real quick and I strongly discourage the use of them.

But for something simple like this no problem, unless this firewall has a lot more ACLs on it.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
spidey07, I disagree with you about object groups. A lot of what people do with ACLs are cut and paste variants of rules that beg for this kind of macro substitution. For example, the rule that says open ports {1,2,3} on hosts {A,B,C}. And you know that somebody's going to come around with a host D to add to that later on. It makes it easy to write and maintain the kind of rules that are common.

show access-list on the PIX will show you the expanded ACL so you can see the whole mess that gets generated, just in case that's easier to read.
 

SaigonK

Diamond Member
Aug 13, 2001
7,482
3
0
www.robertrivas.com
Originally posted by: spidey07
Originally posted by: Rogue
From my reading, the PIX will expand the groups into actual single ACL entries by itself though. It may be eaiser to work with using groups, however, it doesn't save you anything resource wise is my understanding. I would just write a straight ACL for those entries and avoid groups, but that's me and I'm weird like that. I don't like groups because I forget what I put in them eventually. ;)

that's absolutely correct.

and can cause major problems. Say for instance you have a group with 100 hosts that you put in a group. Then you make what looks like 1 single access list using that host group with a protocol group that contains 10 ports.

Its deceptive because it looks like only one line. It is actually 100*10 lines or 1000 lines.

it can get real hairy real quick and I strongly discourage the use of them.

But for something simple like this no problem, unless this firewall has a lot more ACLs on it.

Not very many ACL's at all, so i dont think the object groups will be an issue, i agree that it can turn into a jumble if you go overbaord..but this will work for what i need right now.
Thanks for the tips all! :)