Re: IP Ranges

["Security Guy" <security () sligoinc com>]

specifically regarding PIX

Object groups do make ACL management a whole lot easier, but you're
still stuck specifying hosts or contiguous networks within the group,
you can't just put in a range like 192.168.10.15-28 that doesn't
summarize nicely.


On 3/28/07, Fetch, Brandon <bfetch () tpg com> wrote:
> Object groups is where I was headed.  The groups can take on networks,
> hosts, ports and can then be used in place of where an ACL would go.
>
>
>
> I happen to use object groups to define a block of allowed inbound sources
> and use that to define the ACL as the source.
>
> Keeps me from having to selectively manage an ACL.  The ACL stays put and I
> merely mange the group.
>
>
>
> HTH,
>
> Brandon
>
>
>
>  ________________________________
>
>
> From: firewall-wizards-bounces () listserv icsalabs com
> [mailto:firewall-wizards-bounces () listserv icsalabs com] On
> Behalf Of Jason Gervia
>  Sent: Tuesday, March 27, 2007 3:48 PM
>  To: Firewall Wizards Security Mailing List
>  Subject: Re: [fw-wiz] IP Ranges
>
>
>
>
> Hello,
>
>  In regards to cisco PIX - there's no real way to specify a 'range' option
> with regards to IP addresses.  I'd suggest trying object groups and
> specifying which hosts you would like.
>
>  In IOS, you could potentially use subnet masks that specified 2,4,8,16, etc
> hosts to get the equivalent of a range, but I believe the stateful
> firewalling that is part of the pix won't allow that (it will deny
> src/destinations of networks or broadcast networks).
>
>  I agree, it would be a great thing for cisco to add in a later code
> release.  Unfortunately it's not here yet.
>
>
>
>  --Jason
>
>
> On 3/26/07, Sergio Pozo Hidalgo <sergio () lsi us es> wrote:
>
> Hi all,
>  I have been searcing in the list and in google about how to specify ip
>  ranges in different low level firewall languages.
>
>  I have read that it is possible to do that with iptables using
>  --ip-range parameter. But I could'nt find any information reagarding PIX
>  or PF using a syntax like iptables one.
>  I know it is possible to specify contiguous and non-contiguous ip ranges
>  using subnets (Subnet Calculator is a good application for that), and a
>  combination of deny and permit rules. But the question is if there is a
>  way to specify a range using the easy-to-use format of iptables:
>  192.168.0.1-192.168.2.20 (I know there is a mix of subnets...)
>
>  Thank you very much in advance.
>  Best regards,
>
>  --
>  Sergio Pozo Hidalgo
>  Quivir Research Group <www.lsi.us.es/~quivir>
>  University of Seville (Spain)
>  _______________________________________________
>  firewall-wizards mailing list
>  firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action
> concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
-Karl
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards