Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Accept Outgoing Packets

To: Lance Spitzner <[email protected]>
Subject: Re: [FW1] Accept Outgoing Packets
From: Carric Dooley <[email protected]>
Date: Wed, 13 Dec 2000 10:05:02 -0500 (EST)
Cc: [email protected]
In-reply-to: <[email protected]>
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Lance... your site has been a wealth of useful information for me,
and I really like the new "Attack of the Week" thing you are doing.

Thank you


Carric Dooley
Senior Consultant
COM2:Interactive Media

"But this one goes to eleven."
- -- Nigel Tufnel


On Tue, 12 Dec 2000, Lance Spitzner wrote:

> On Tue, 12 Dec 2000, Carric Dooley wrote:
> 
> > Anyone know the reasoning behind why this is recommended to be set to
> > "Before Last" in the policy properties?  I am working with a FW with that
> > property set to first (and have seen it before) and I can't come up with a
> > good explanation to change it (nor can I find one with all my web ferret
> > diggings).
> 
> Organizations may want to filter outbound packets as well as inbound.
> If the "Accept Outgoing" is placed first, then that rule takes priority,
> meaning the organization cannot filter outbound rules.  Now, you are
> problably asking yourself why would I want to inspect a packet outbound
> if I already inspected it inbound?  The firewall for one.  If the firewall
> initiates a connection, you can only filter it outbound.  You would be 
> amazed at the information your firewall gives away with ICMP error
> messages alone.  For details on this, check out the paper I just updated,
> Auditing Your Firewall Rulebase (http://www.enteract.com/~lspitz/audit.html).
> 
> Dont' forget, if you are doing Hide address translation, this means all
> return packets have the IP address of your firewall.  If the return packets
> have any failures (such as TTL expiring), then the firewall responds on
> their behalf, giving out information.
> 
> I'll be doing a total rewrite of my "Building Your Firewall Rulebase"
> where I discuss these and other issues.
> 
> hope this helps :)
> 
> lance
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA/AwUBOjeQK1UqWOkDpMZ2EQKCtwCdHbevbOljy+I+rZEsINeTGfCnbHoAoNsF
DbdNK89rtzoxTGw6P+y0aH5z
=LxtZ
-----END PGP SIGNATURE-----




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] Accept Outgoing Packets
  - From: Lance Spitzner <[email protected]>

Prev by Date: Re: [FW1] securecom PDS2100
Next by Date: RE: [FW1] NT vs Unix as FW platform
Previous by thread: Re: [FW1] Accept Outgoing Packets
Next by thread: [FW1] Dynamic IPSEC in Checkpoint VPN
Index(es):
- Date
- Thread