[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Rule question
Combining two similar rules into one rule should work. eg..(A, B) -> (A,B) DNS Accept should work fine. If yours are not getting passed on that rule, the first thing I would check is that 'outside' network object. I've never created an object for 0.0.0.0 with a netmask of 0.0.0.0, and I cannot think of a reason to even do that. If you indeed had that object in that rule, why not just have an ANY ANY DNS ACCEPT rule? It would accomplish the same thing! I have a hunch that CheckPoint is biting on that 'outside' object, and mishandling it, because if CP handled it properly, then that rule would equate to any any dns accept and pass the dns traffic. I would go back to 2 rules: ns_servers ANY DNS Accept ANY ns_servers domain-udp Accept This lets your dns server make queries to anybody, but prevents just anybody from doing a zone transfer with you. If somebody does zone transfers, explicitly allow it with another rule allowing domain-tcp to your ns_servers. Or, if you are content with your original rule with 'outside' in the source and destination, use ANY ANY DNS Accept instead. It does the same thing, though is not a good idea security-wise. Jason -----Original Message----- From: Tim Parker [mailto:[email protected]] Sent: Monday, February 26, 2001 12:42 PM To: 'Steve Dangerfield ([email protected])'; [email protected] Cc: [email protected] Subject: RE: [FW1] Rule question Steve -- I have faced the same problem and am still confused.....if you have the same sources and destinations (meaning they are both on both sides if you will of the rule) why wouldn't or shouldn't it work....Is checkpoint not intelligent enough for this? that would mean that anything you need or want to have traffic going in and out of would need two lines which could make for an exceptionally long rules list..... tim -----Original Message----- From: Steve Dangerfield ([email protected]) [mailto:[email protected]] Sent: Monday, February 26, 2001 10:11 AM To: [email protected] Cc: [email protected] Subject: Re: [FW1] Rule question Derek, It looks to me as though your DNS servers are sat on your internal network. If they are then no connection from the internal DNS servers will pass through the firewall to the Internal DNS servers. Your rule states, An internal DNS wishing to connect to an Internal DNS server for DNS, Accept. It is good practice to simplify your rule base, for performance, but take care, you can't just eliminate common elements. Steve. ----- Original Message ----- From: Derek J. Lambert <[email protected]> To: fw-1-mailinglist (E-mail) <[email protected]> Sent: Monday, February 26, 2001 12:56 PM Subject: [FW1] Rule question > > I was trying to consolidate my rulebase this weekend and found that what I > thought should work didn't. I'm probably missing something really simply > here, but I can't find it. I poured through the manuals and couldn't find > any help (surprise surprise), nor could I find anything on phoneboy. Any > help would be greatly appreciated! > > Here's the objects I have defined (fake ip's of course): > > Type Name Data > workstation ns1 192.168.10.1/24 > workstation ns2 192.168.10.2/24 > service group DNS dns-udp, dns-tcp > host group ns_servers ns1, ns2 > network outside 0.0.0.0/0 > > Originally I had the following 2 rules defined to let dns traffic to > specific hosts: > > Source Dest Service Action > ------ ---- ------- ------ > ns_servers outside DNS Allow > ------------------------------------------------ > outside ns_servers DNS Allow > > I tried to merge this into one rule as: > > Source Dest Service Action > ------ ---- ------- ------ > ns_nservers ns_servers DNS Allow > outside outside > > This caused all dns traffic to be dropped (per the last rule). > > Derek J. Lambert, MCSE, A+ > Network Administrator > Columbia ParCar Corp. > > > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|