[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Accept Outgoing Packets
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Lance... your site has been a wealth of useful information for me, and I really like the new "Attack of the Week" thing you are doing. Thank you Carric Dooley Senior Consultant COM2:Interactive Media "But this one goes to eleven." - -- Nigel Tufnel On Tue, 12 Dec 2000, Lance Spitzner wrote: > On Tue, 12 Dec 2000, Carric Dooley wrote: > > > Anyone know the reasoning behind why this is recommended to be set to > > "Before Last" in the policy properties? I am working with a FW with that > > property set to first (and have seen it before) and I can't come up with a > > good explanation to change it (nor can I find one with all my web ferret > > diggings). > > Organizations may want to filter outbound packets as well as inbound. > If the "Accept Outgoing" is placed first, then that rule takes priority, > meaning the organization cannot filter outbound rules. Now, you are > problably asking yourself why would I want to inspect a packet outbound > if I already inspected it inbound? The firewall for one. If the firewall > initiates a connection, you can only filter it outbound. You would be > amazed at the information your firewall gives away with ICMP error > messages alone. For details on this, check out the paper I just updated, > Auditing Your Firewall Rulebase (http://www.enteract.com/~lspitz/audit.html). > > Dont' forget, if you are doing Hide address translation, this means all > return packets have the IP address of your firewall. If the return packets > have any failures (such as TTL expiring), then the firewall responds on > their behalf, giving out information. > > I'll be doing a total rewrite of my "Building Your Firewall Rulebase" > where I discuss these and other issues. > > hope this helps :) > > lance > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Made with pgp4pine 1.75-6 iQA/AwUBOjeQK1UqWOkDpMZ2EQKCtwCdHbevbOljy+I+rZEsINeTGfCnbHoAoNsF DbdNK89rtzoxTGw6P+y0aH5z =LxtZ -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|