I'm installing a content filter that will sit behing a Pix firewall in proxy mode. What I plan on doing on the pix is only allow port 80 and 443 traffic from the content filter outbound and deny all other port 80 and 443 traffic. This way if they remove the proxy setting in their browser they will not be able to bypass the filter.
I need help with the ACL. Would something like this work:
access-list inside_out extended permit tcp host 192.168.1.1 any eq 80
access-list inside_out extended permit tcp host 192.168.1.1 any eq 443
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0 any eq 80
access-list inside_out extended deny tcp 191.168.1.0 255.255.255.0 any eq 443
access-list inside_out extended permit ip any any
access-list extended permit ip any any at the end of the ACL, right?
RustyZ32
yes, definetly.
you may also want to allow 80 and 443 form your machine as well, or another server. not sure if denying it will also kill ADSM access from the inside.
ejaramillo
ASKER
Got it. I want to make sure all other ports going outbound are not affected by the ACL. I just want to make sure they can't bypass the filter if they uncheck the proxy settings. So I think this should work just perfect. :)
I can't try it out until I configure the content filter but I am pretty sure the ACL will work like a champ.
access-list extended permit ip any any at the end of the ACL, right?