NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Any-->does this include....



Title: RE: [FW1] Any-->does this include....

Other IP protocols

IPSEC- 50
GRE- 47
OSPF- 89

Take a look at any new Unix distribution at the /etc/protocols file.  There are all sorts of other IP protocols.

-----Original Message-----
From: Chris Arnold [mailto:[email protected]]
Sent: Friday, February 09, 2001 1:54 PM
To: '[email protected]'; [email protected]
Subject: RE: [FW1] Any-->does this include....



Actually, RFC791 specifies an 8 bit field in IP packets to identify the
following protocol type.  This means that 256 encapsulated IP protocol types
could exist.  Currently, 134 of them are assigned by IANA.

TCP= IP protocol 6
UDP= IP protocol 17
ICMP= IP protocol 1

Chris


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, February 09, 2001 1:00 PM
To: [email protected]
Subject: RE: [FW1] Any-->does this include....




Yes Frank, that is exactly what he was trying to suggest.  But that is not
correct.  any any any accept still does impose traffic restrictions.

And as far as I am aware ICMP, UDP and TCP are the only IP protocols that
exist.

Thanks,

Paul

On Fri, 9 Feb 2001, Frank Knobbe wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > Sent: Friday, February 09, 2001 8:47 AM
> >
> > Correct me if I am wrong, but I think allowing ICMP is part
> > of the policy
> > properties.
> >
> > I apologize if I am wrong here, I don't have a FW-1 box infront of
> > me right now.
> >
> > The email that I replied to said that any any any accept was
> > = a router.
> >
> > This is FAR from the truth.  (Although I wish it was the truth)
>
>
> I don't have that email anymore, but I think the poster was trying to
> say that Any-Any-Any does not impose any access control  restrictions
> based on source and destination address, and service/protocol. So in
> essence, yeah would behave like a router if routing is allowed on the
> box and no address translation rules are in effect.
>
> Any as a service includes more than just ICMP. ICMP in the policy
> allows a subset of the ICMP protocol such as echo, reply, traceroute
> etc. But there are more IP protocols besides ICMP, TCP and UDP. If
> you were to allow inbound traffic to a PPTP server for example, you
> would have a rule that specifies src-dst-GRE, which would allow the
> GRE protocol (IP protocol 47) to pass through. IPSec is another IP
> protocol. As far as I know, using any will allow GRE, IPSEc and other
> IP protocols through. So the statement of TCP/UDP highports was
> incorrect (what about TCP/UDP low ports? ;)  Any is more like any any
> day if anyone cares anymore anyway...
>
> Regards,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
>
> iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp
> A55x1WaflYWvV+7NVwtXQjiB
> =1IaS
> -----END PGP SIGNATURE-----
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>

--
--Paul



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.