«

I want to limit web browsing for a specific machine, allowing all others.

Am I better off doing this on the inside or outside interface ?

How do I control the order of the commands in the access-list ? Is it just
a matter of entry order ?



Is this syntax correct for the inside ?

Access-list ach-in deny tcp host 192.168.0.22 any eq 80

Access-list ach-in permit ip any any

Access-list ach-in in interface inside

In article <478cb48b$0$9134$>,
barret bonden <> wrote:
>I want to limit web browsing for a specific machine, allowing all others.

>Am I better off doing this on the inside or outside interface ?

Inside, for sure.


> How do I control the order of the commands in the access-list ? Is it just
>a matter of entry order ?

Yes. Though if you have a late enough version of PIX OS, you can
use "line" modifiers to insert before specific lines or delete
specific lines.


>Is this syntax correct for the inside ?

>Access-list ach-in deny tcp host 192.168.0.22 any eq 80

>Access-list ach-in permit ip any any

>Access-list ach-in in interface inside

I do not recall at the moment whether "access-list" is case-sensitive.
The syntax for the rest looks fine. As a practical matter, though,
you may also wish to block common proxy ports as well as port 80.
You might find that easier to manage if you use a port-object
to create the list of ports and then use

access-list ach-in deny tcp host 192.168.0.22 any object-group blocked_ports

"Walter Roberson" <> wrote in message
news:K48jj.73269$EA5.16439@pd7urf2no...
> In article <478cb48b$0$9134$>,
> barret bonden <> wrote:
>>I want to limit web browsing for a specific machine, allowing all others.
>
>>Am I better off doing this on the inside or outside interface ?
>
> Inside, for sure.
>
>
>> How do I control the order of the commands in the access-list ? Is it
>> just
>>a matter of entry order ?
>
> Yes. Though if you have a late enough version of PIX OS, you can
> use "line" modifiers to insert before specific lines or delete
> specific lines.
>
>
>>Is this syntax correct for the inside ?
>
>>Access-list ach-in deny tcp host 192.168.0.22 any eq 80
>
>>Access-list ach-in permit ip any any


>
>>Access-list ach-in in interface inside

To apply the list on the interface you would need the access-group command

access-group ach-in in interface inside







>
> I do not recall at the moment whether "access-list" is case-sensitive.
> The syntax for the rest looks fine. As a practical matter, though,
> you may also wish to block common proxy ports as well as port 80.
> You might find that easier to manage if you use a port-object
> to create the list of ports and then use
>
> access-list ach-in deny tcp host 192.168.0.22 any object-group
> blocked_ports
>