NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] quick and easy



Hi Garry,

Yes and No.

The order of the rules is important.

The packet drops into the list of rules, starting with rule 0 
(= properties, etc.). Now the packet will be compared with the
first rule. No match? -> Comparisation with the second an so
forth. If a rule matches, the packet is treated as defined in the
rule.

As far as I know this procedure is not true for authentication
rules. But I'm not really sure.

Your solution would be: you have to add rule B before rule A.

robert

On Tue, 31 Oct 2000, Garry Armour wrote:

> 
> 
> 
> Hi all,
> 
> Jus a quick question,
> 
> Scenario : Want to block a troublesome user from internet :-)
> 
> I have a network object created for my internal users (10.32.1.0 255.255.255.0)
> setup with allow http & https. Call it rule A
> 
> I know the address I want to block so can I simply create an obect for this
> address and use Deny. ? Call it rule B
> 
> My understanding of things is that if there is a rule allowing access then it
> supercedes any other rule that may block access above or below it. Is this
> correct ?
> 
> So if I put Rule B above or below Rule A will the address still be allowed to
> communicate ?
> 
> ps. There is no authentication of user at the firewall.
> 
> 
> Thanks in advance,
> Garry
> 
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 

----------------------------------------
Robert Binder
IT-Security Consultant

Integralis, Niederlassung München
Gutenbergstr. 1
D-85737 Ismaning
Tel: +49-89-94573-235
Fax: +49-89-94573-119
http://www.integralis.de/
 
A member of the Articon-Integralis Group



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.