NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Accept Outgoing Packets



Moreover, if you're doing any kind of VPN, you MUST have "allow packets
originating from gateway" AFTER the encryption rules.
Since in any VPN scenario it's your firewall that speaks ESP with it's
peers, if you have "accept outgoing" before "encrypt", the traffic won't be
encrypted.
HTH,
Michael.

-----Original Message-----
From: Lance Spitzner [mailto:[email protected]]
Sent: Wednesday, December 13, 2000 2:19 AM
To: Carric Dooley
Cc: [email protected]
Subject: Re: [FW1] Accept Outgoing Packets



On Tue, 12 Dec 2000, Carric Dooley wrote:

> Anyone know the reasoning behind why this is recommended to be set to
> "Before Last" in the policy properties?  I am working with a FW with that
> property set to first (and have seen it before) and I can't come up with a
> good explanation to change it (nor can I find one with all my web ferret
> diggings).

Organizations may want to filter outbound packets as well as inbound.
If the "Accept Outgoing" is placed first, then that rule takes priority,
meaning the organization cannot filter outbound rules.  Now, you are
problably asking yourself why would I want to inspect a packet outbound
if I already inspected it inbound?  The firewall for one.  If the firewall
initiates a connection, you can only filter it outbound.  You would be 
amazed at the information your firewall gives away with ICMP error
messages alone.  For details on this, check out the paper I just updated,
Auditing Your Firewall Rulebase
(http://www.enteract.com/~lspitz/audit.html).

Dont' forget, if you are doing Hide address translation, this means all
return packets have the IP address of your firewall.  If the return packets
have any failures (such as TTL expiring), then the firewall responds on
their behalf, giving out information.

I'll be doing a total rewrite of my "Building Your Firewall Rulebase"
where I discuss these and other issues.

hope this helps :)

lance




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.