NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Rule question



Luke,

I agree with what you are saying here, BUT

Dereks initial problem was that he had 2 rules,
1. A to B for DNS accept
2. B to A for DNS accept

So when a packet going from A to B for DNS hits the rule base it trys to
match each rule in sequence. When it hits rule 1 the firewall accepts a
routes the packet. Similar procedure for rule 2.

If we combine these two rules into,

A to A for DNS accept

then we create a rule, which will not be matched; because no packet from A
will go to itself through the firewall.

Steve

----- Original Message -----
From: Luke, Jason (ISS Southfield) <[email protected]>
To: <[email protected]>
Cc: <[email protected]>
Sent: Monday, February 26, 2001 6:39 PM
Subject: RE: [FW1] Rule question


>
> Combining two similar rules into one rule should work. eg..(A, B) -> (A,B)
> DNS Accept   should work fine.  If yours are not getting passed on that
> rule, the first thing I would check is that 'outside' network object.
I've
> never created an object for 0.0.0.0 with a netmask of 0.0.0.0, and I
cannot
> think of a reason to even do that.  If you indeed had that object in that
> rule, why not just have an  ANY ANY DNS ACCEPT rule?  It would accomplish
> the same thing!   I have a hunch that CheckPoint is biting on that
'outside'
> object, and mishandling it, because if CP handled it properly, then that
> rule would equate to any any dns accept and pass the dns traffic.
>
> I would go back to 2 rules:
> ns_servers ANY DNS Accept
> ANY ns_servers domain-udp Accept
>
> This lets your dns server make queries to anybody, but prevents just
anybody
> from doing a zone transfer with you.  If somebody does zone transfers,
> explicitly allow it with another rule allowing domain-tcp to your
> ns_servers.
>
> Or, if you are content with your original rule with 'outside' in the
source
> and destination, use ANY ANY DNS Accept instead.  It does the same thing,
> though is not a good idea security-wise.
>
>
> Jason
>
>
>
> -----Original Message-----
> From: Tim Parker [mailto:[email protected]]
> Sent: Monday, February 26, 2001 12:42 PM
> To: 'Steve Dangerfield ([email protected])';
> [email protected]
> Cc: [email protected]
> Subject: RE: [FW1] Rule question
>
>
>
> Steve -- I have faced the same problem and am still confused.....if you
have
> the same sources and destinations (meaning they are both on both sides if
> you will of the rule) why wouldn't or shouldn't it work....Is checkpoint
not
> intelligent enough for this? that would mean that anything you need or
want
> to have traffic going in and out of would need two lines which could make
> for an exceptionally long rules list.....
>
> tim
>
>
> -----Original Message-----
> From: Steve Dangerfield ([email protected])
> [mailto:[email protected]]
> Sent: Monday, February 26, 2001 10:11 AM
> To: [email protected]
> Cc: [email protected]
> Subject: Re: [FW1] Rule question
>
>
>
> Derek,
>
> It looks to me as though your DNS servers are sat on your internal
network.
> If they are then no connection from the internal DNS servers will pass
> through the firewall to the Internal DNS servers. Your rule states, An
> internal DNS wishing to connect to an Internal DNS server for DNS, Accept.
>
> It is good practice to simplify your rule base, for performance, but take
> care, you can't just eliminate common elements.
>
> Steve.
>
> ----- Original Message -----
> From: Derek J. Lambert <[email protected]>
> To: fw-1-mailinglist (E-mail) <[email protected]>
> Sent: Monday, February 26, 2001 12:56 PM
> Subject: [FW1] Rule question
>
>
> >
> > I was trying to consolidate my rulebase this weekend and found that what
I
> > thought should work didn't. I'm probably missing something really simply
> > here, but I can't find it. I poured through the manuals and couldn't
find
> > any help (surprise surprise), nor could I find anything on phoneboy. Any
> > help would be greatly appreciated!
> >
> > Here's the objects I have defined (fake ip's of course):
> >
> > Type Name Data
> > workstation ns1 192.168.10.1/24
> > workstation ns2 192.168.10.2/24
> > service group DNS dns-udp, dns-tcp
> > host group ns_servers ns1, ns2
> > network outside 0.0.0.0/0
> >
> > Originally I had the following 2 rules defined to let dns traffic to
> > specific hosts:
> >
> > Source Dest Service Action
> > ------ ---- ------- ------
> > ns_servers outside DNS Allow
> > ------------------------------------------------
> > outside ns_servers DNS Allow
> >
> > I tried to merge this into one rule as:
> >
> > Source Dest Service Action
> > ------ ---- ------- ------
> > ns_nservers ns_servers DNS Allow
> > outside outside
> >
> > This caused all dns traffic to be dropped (per the last rule).
> >
> > Derek J. Lambert, MCSE, A+
> > Network Administrator
> > Columbia ParCar Corp.
> >
> >
> >
> >
> >
> >
>
============================================================================
> ====
> >      To unsubscribe from this mailing list, please see the instructions
at
> >                http://www.checkpoint.com/services/mailing.html
> >
>
============================================================================
> ====
>
>
>
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.