----- Original Message -----
Sent: Friday, February 09, 2001 1:04
PM
Subject: RE: [FW1] Any-->does this
include....
Other IP protocols
IPSEC- 50
GRE- 47
OSPF- 89
Take a look at any new Unix distribution at the /etc/protocols
file. There are all sorts of other IP protocols.
-----Original Message-----
From: Chris
Arnold [mailto:[email protected]]
Sent: Friday, February 09, 2001 1:54 PM
To: '[email protected]'; [email protected]
Subject: RE: [FW1] Any-->does this include....
Actually, RFC791 specifies an 8 bit field in IP packets to
identify the
following protocol type. This means
that 256 encapsulated IP protocol types
could
exist. Currently, 134 of them are assigned by IANA.
TCP= IP protocol 6
UDP= IP protocol
17
ICMP= IP protocol 1
Chris
-----Original Message-----
From:
[email protected] [mailto:[email protected]]
Sent: Friday, February 09, 2001 1:00 PM
To: [email protected]
Subject: RE: [FW1] Any-->does this include....
Yes Frank, that is exactly what he was trying to
suggest. But that is not
correct. any any
any accept still does impose traffic restrictions.
And as far as I am aware ICMP, UDP and TCP are the only IP
protocols that
exist.
Thanks,
Paul
On Fri, 9 Feb 2001, Frank Knobbe wrote:
>
> -----BEGIN PGP SIGNED
MESSAGE-----
> Hash: SHA1
>
> > -----Original
Message-----
> > From: [email protected]
[mailto:[email protected]]
> > Sent: Friday, February 09, 2001 8:47 AM
> >
> > Correct me if I
am wrong, but I think allowing ICMP is part
> >
of the policy
> > properties.
> >
> > I apologize if I am wrong
here, I don't have a FW-1 box infront of
> > me
right now.
> >
> >
The email that I replied to said that any any any accept was
> > = a router.
> >
> > This is FAR from the truth. (Although
I wish it was the truth)
>
>
> I don't have that email anymore, but
I think the poster was trying to
> say that
Any-Any-Any does not impose any access control restrictions
> based on source and destination address, and
service/protocol. So in
> essence, yeah would
behave like a router if routing is allowed on the
>
box and no address translation rules are in effect.
>
> Any as a service includes more than
just ICMP. ICMP in the policy
> allows a subset of
the ICMP protocol such as echo, reply, traceroute
>
etc. But there are more IP protocols besides ICMP, TCP and UDP. If
> you were to allow inbound traffic to a PPTP server for
example, you
> would have a rule that specifies
src-dst-GRE, which would allow the
> GRE protocol
(IP protocol 47) to pass through. IPSec is another IP
> protocol. As far as I know, using any will allow GRE, IPSEc and
other
> IP protocols through. So the statement of
TCP/UDP highports was
> incorrect (what about
TCP/UDP low ports? ;) Any is more like any any
> day if anyone cares anymore anyway...
>
> Regards,
>
Frank
>
> -----BEGIN PGP
SIGNATURE-----
> Version: PGP Personal Privacy
6.5.8
> Comment: PGP or S/MIME encrypted email
preferred.
>
>
iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp
> A55x1WaflYWvV+7NVwtXQjiB
>
=1IaS
> -----END PGP SIGNATURE-----
>
>
>
============================================================================
====
> To unsubscribe from this mailing
list, please see the instructions at
>
http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
--
--Paul
============================================================================
====
To
unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================