Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Rule question

To: "'Tim Parker'" <[email protected]>, "'Steve Dangerfield ([email protected])'" <[email protected]>, [email protected]
Subject: RE: [FW1] Rule question
From: "Sterling, Chuck" <[email protected]>
Date: Mon, 26 Feb 2001 11:45:04 -0700
Cc: [email protected]
Importance: low
Sender: [email protected]

I'm not an expert on this, but we have rules to control outbound connections
and others to control inbound. It does add a bit of complexity as far as
number of rules, but it is relatively simple to keep track of what rule does
what. We put the outbound rules at the top of the list, inbound ones after
those, intending to provide quicker rule processing for our internal users.
I think that if we tried to combine inbound and outbound rules, if it were
possible at all, the rule set would get too convoluted to understand in a
pinch, and it's usually in a pinch that I'mm looking at it...

-----Original Message-----
From: Tim Parker [mailto:[email protected]]
Sent: Monday, February 26, 2001 10:42 AM
To: 'Steve Dangerfield ([email protected])';
[email protected]
Cc: [email protected]
Subject: RE: [FW1] Rule question



Steve -- I have faced the same problem and am still confused.....if you have
the same sources and destinations (meaning they are both on both sides if
you will of the rule) why wouldn't or shouldn't it work....Is checkpoint not
intelligent enough for this? that would mean that anything you need or want
to have traffic going in and out of would need two lines which could make
for an exceptionally long rules list.....

tim


-----Original Message-----
From: Steve Dangerfield ([email protected])
[mailto:[email protected]]
Sent: Monday, February 26, 2001 10:11 AM
To: [email protected]
Cc: [email protected]
Subject: Re: [FW1] Rule question



Derek,

It looks to me as though your DNS servers are sat on your internal network.
If they are then no connection from the internal DNS servers will pass
through the firewall to the Internal DNS servers. Your rule states, An
internal DNS wishing to connect to an Internal DNS server for DNS, Accept.

It is good practice to simplify your rule base, for performance, but take
care, you can't just eliminate common elements.

Steve.

----- Original Message -----
From: Derek J. Lambert <[email protected]>
To: fw-1-mailinglist (E-mail) <[email protected]>
Sent: Monday, February 26, 2001 12:56 PM
Subject: [FW1] Rule question


>
> I was trying to consolidate my rulebase this weekend and found that what I
> thought should work didn't. I'm probably missing something really simply
> here, but I can't find it. I poured through the manuals and couldn't find
> any help (surprise surprise), nor could I find anything on phoneboy. Any
> help would be greatly appreciated!
>
> Here's the objects I have defined (fake ip's of course):
>
> Type Name Data
> workstation ns1 192.168.10.1/24
> workstation ns2 192.168.10.2/24
> service group DNS dns-udp, dns-tcp
> host group ns_servers ns1, ns2
> network outside 0.0.0.0/0
>
> Originally I had the following 2 rules defined to let dns traffic to
> specific hosts:
>
> Source Dest Service Action
> ------ ---- ------- ------
> ns_servers outside DNS Allow
> ------------------------------------------------
> outside ns_servers DNS Allow
>
> I tried to merge this into one rule as:
>
> Source Dest Service Action
> ------ ---- ------- ------
> ns_nservers ns_servers DNS Allow
> outside outside
>
> This caused all dns traffic to be dropped (per the last rule).
>
> Derek J. Lambert, MCSE, A+
> Network Administrator
> Columbia ParCar Corp.
>
>
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Issuing putlic
Next by Date: [FW1] Where is the install path picked up..
Previous by thread: Re: [FW1] Rule question
Next by thread: [FW1] Testing Network Security
Index(es):
- Date
- Thread