Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Any-->does this include....

To: "'[email protected]'" <[email protected]>, [email protected]
Subject: RE: [FW1] Any-->does this include....
From: Frank Knobbe <[email protected]>
Date: Fri, 9 Feb 2001 10:01:34 -0600
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Friday, February 09, 2001 8:47 AM
> 
> Correct me if I am wrong, but I think allowing ICMP is part 
> of the policy
> properties.
> 
> I apologize if I am wrong here, I don't have a FW-1 box infront of
> me right now.
> 
> The email that I replied to said that any any any accept was 
> = a router.
> 
> This is FAR from the truth.  (Although I wish it was the truth)


I don't have that email anymore, but I think the poster was trying to
say that Any-Any-Any does not impose any access control  restrictions
based on source and destination address, and service/protocol. So in
essence, yeah would behave like a router if routing is allowed on the
box and no address translation rules are in effect.

Any as a service includes more than just ICMP. ICMP in the policy
allows a subset of the ICMP protocol such as echo, reply, traceroute
etc. But there are more IP protocols besides ICMP, TCP and UDP. If
you were to allow inbound traffic to a PPTP server for example, you
would have a rule that specifies src-dst-GRE, which would allow the
GRE protocol (IP protocol 47) to pass through. IPSec is another IP
protocol. As far as I know, using any will allow GRE, IPSEc and other
IP protocols through. So the statement of TCP/UDP highports was
incorrect (what about TCP/UDP low ports? ;)  Any is more like any any
day if anyone cares anymore anyway...

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp
A55x1WaflYWvV+7NVwtXQjiB
=1IaS
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] Any-->does this include....
  - From: [email protected]

Prev by Date: Re: [FW1] Lost Citrix Metaframe Connections Blamed on FW Policy Installatio n
Next by Date: RE: [FW1] how to disable RIP on sun ultra 10 solaris?
Previous by thread: RE: [FW1] Any-->does this include....
Next by thread: RE: [FW1] Any-->does this include....
Index(es):
- Date
- Thread