[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Any-->does this include....
Thank you for correcting me. On Fri, 9 Feb 2001, Chris Arnold wrote: > Actually, RFC791 specifies an 8 bit field in IP packets to identify the > following protocol type. This means that 256 encapsulated IP protocol types > could exist. Currently, 134 of them are assigned by IANA. > > TCP= IP protocol 6 > UDP= IP protocol 17 > ICMP= IP protocol 1 > > Chris > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, February 09, 2001 1:00 PM > To: [email protected] > Subject: RE: [FW1] Any-->does this include.... > > > > > Yes Frank, that is exactly what he was trying to suggest. But that is not > correct. any any any accept still does impose traffic restrictions. > > And as far as I am aware ICMP, UDP and TCP are the only IP protocols that > exist. > > Thanks, > > Paul > > On Fri, 9 Feb 2001, Frank Knobbe wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]] > > > Sent: Friday, February 09, 2001 8:47 AM > > > > > > Correct me if I am wrong, but I think allowing ICMP is part > > > of the policy > > > properties. > > > > > > I apologize if I am wrong here, I don't have a FW-1 box infront of > > > me right now. > > > > > > The email that I replied to said that any any any accept was > > > = a router. > > > > > > This is FAR from the truth. (Although I wish it was the truth) > > > > > > I don't have that email anymore, but I think the poster was trying to > > say that Any-Any-Any does not impose any access control restrictions > > based on source and destination address, and service/protocol. So in > > essence, yeah would behave like a router if routing is allowed on the > > box and no address translation rules are in effect. > > > > Any as a service includes more than just ICMP. ICMP in the policy > > allows a subset of the ICMP protocol such as echo, reply, traceroute > > etc. But there are more IP protocols besides ICMP, TCP and UDP. If > > you were to allow inbound traffic to a PPTP server for example, you > > would have a rule that specifies src-dst-GRE, which would allow the > > GRE protocol (IP protocol 47) to pass through. IPSec is another IP > > protocol. As far as I know, using any will allow GRE, IPSEc and other > > IP protocols through. So the statement of TCP/UDP highports was > > incorrect (what about TCP/UDP low ports? ;) Any is more like any any > > day if anyone cares anymore anyway... > > > > Regards, > > Frank > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Personal Privacy 6.5.8 > > Comment: PGP or S/MIME encrypted email preferred. > > > > iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp > > A55x1WaflYWvV+7NVwtXQjiB > > =1IaS > > -----END PGP SIGNATURE----- > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > > > -- --Paul ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|