Firewall Wizards mailing list archives
Re: Pix rulebase/policy analysis
From: James <jimbob.coffey () gmail com>
Date: Sat, 22 Sep 2007 12:56:22 +1000
On 9/21/07, Richard Golodner <rgolodner () infratection com> wrote:
1- A spreadsheet is a good way to keep track of the current rule set you have applied to the Pix. It must be maintained and kept up to date. For
Personally I would rather the config be self documenting. Add remarks to the access-list entries if that is important to you but I don't see how a spreadsheet adds any value over and above the live rulebase and you always have the problem of version drift with 2 "sources of truth". Your source of truth is the live config.
2- It is never a real good idea to jeopardize the current configuration by making changes in real time. Copy it to a text editor and make the changes, then apply it to your Pix.
I prefer the syntax validation of configuring at the command line rather than writing lines of text in an editor that gets blasted in with syntax errors and you have to go and fix the whole thing and in some cases it can be confiusing which commands were applied and which weren't. Also with compiled acls these days set your mode to manual commit and you can rejig the rulebase as much as you like (with syntax verification) and when you are happy with the ruleset order then commit the changes MAKE SURE YOU HAVE A BACKUP OF
YOU R CURRENT FUNCTIONING CONFG!
Yep. RANCID is the ticket, forget tftp backups. Why vendors allow a firewall config to be transferred in plain text is beyond me. just my 2c -- jac _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix rulebase/policy analysis jacob c (Sep 20)
- Re: Pix rulebase/policy analysis Brian Loe (Sep 21)
- Re: Pix rulebase/policy analysis Michael Cox (Sep 21)
- Re: Pix rulebase/policy analysis Richard Golodner (Sep 21)
- Re: Pix rulebase/policy analysis James (Sep 22)
- Re: Pix rulebase/policy analysis Richard Golodner (Sep 23)
- Re: Pix rulebase/policy analysis James (Sep 25)
- Re: Pix rulebase/policy analysis James (Sep 22)