Or if you just want to download it for reference. It really is
a good article.
Other IP protocols
IPSEC- 50
GRE- 47
OSPF- 89
Take a look at any new Unix distribution at the /etc/protocols
file. There are all sorts of other IP protocols.
-----Original Message-----
From: Chris Arnold [mailto:[email protected]]
Sent: Friday, February 09, 2001 1:54 PM
To: '[email protected]'; [email protected]
Subject: RE: [FW1] Any-->does this include....
Actually, RFC791 specifies an 8 bit field in IP packets
to identify the
following protocol type. This means that 256 encapsulated
IP protocol types
could exist. Currently, 134 of them are assigned
by IANA.
TCP= IP protocol 6
UDP= IP protocol 17
ICMP= IP protocol 1
Chris
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, February 09, 2001 1:00 PM
To: [email protected]
Subject: RE: [FW1] Any-->does this include....
Yes Frank, that is exactly what he was trying to suggest.
But that is not
correct. any any any accept still does impose traffic
restrictions.
And as far as I am aware ICMP, UDP and TCP are the only
IP protocols that
exist.
Thanks,
Paul
On Fri, 9 Feb 2001, Frank Knobbe wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > Sent: Friday, February 09, 2001 8:47 AM
> >
> > Correct me if I am wrong, but I think allowing ICMP
is part
> > of the policy
> > properties.
> >
> > I apologize if I am wrong here, I don't have a FW-1
box infront of
> > me right now.
> >
> > The email that I replied to said that any any any
accept was
> > = a router.
> >
> > This is FAR from the truth. (Although I wish
it was the truth)
>
>
> I don't have that email anymore, but I think the poster
was trying to
> say that Any-Any-Any does not impose any access control
restrictions
> based on source and destination address, and service/protocol.
So in
> essence, yeah would behave like a router if routing
is allowed on the
> box and no address translation rules are in effect.
>
> Any as a service includes more than just ICMP. ICMP
in the policy
> allows a subset of the ICMP protocol such as echo,
reply, traceroute
> etc. But there are more IP protocols besides ICMP,
TCP and UDP. If
> you were to allow inbound traffic to a PPTP server
for example, you
> would have a rule that specifies src-dst-GRE, which
would allow the
> GRE protocol (IP protocol 47) to pass through. IPSec
is another IP
> protocol. As far as I know, using any will allow GRE,
IPSEc and other
> IP protocols through. So the statement of TCP/UDP highports
was
> incorrect (what about TCP/UDP low ports? ;) Any
is more like any any
> day if anyone cares anymore anyway...
>
> Regards,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
>
> iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp
> A55x1WaflYWvV+7NVwtXQjiB
> =1IaS
> -----END PGP SIGNATURE-----
>
>
>
============================================================================
====
> To unsubscribe >from
this mailing list, please see the instructions at
>
http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
--
--Paul
============================================================================
====
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================