[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Rule question
Luke, I agree with what you are saying here, BUT Dereks initial problem was that he had 2 rules, 1. A to B for DNS accept 2. B to A for DNS accept So when a packet going from A to B for DNS hits the rule base it trys to match each rule in sequence. When it hits rule 1 the firewall accepts a routes the packet. Similar procedure for rule 2. If we combine these two rules into, A to A for DNS accept then we create a rule, which will not be matched; because no packet from A will go to itself through the firewall. Steve ----- Original Message ----- From: Luke, Jason (ISS Southfield) <[email protected]> To: <[email protected]> Cc: <[email protected]> Sent: Monday, February 26, 2001 6:39 PM Subject: RE: [FW1] Rule question > > Combining two similar rules into one rule should work. eg..(A, B) -> (A,B) > DNS Accept should work fine. If yours are not getting passed on that > rule, the first thing I would check is that 'outside' network object. I've > never created an object for 0.0.0.0 with a netmask of 0.0.0.0, and I cannot > think of a reason to even do that. If you indeed had that object in that > rule, why not just have an ANY ANY DNS ACCEPT rule? It would accomplish > the same thing! I have a hunch that CheckPoint is biting on that 'outside' > object, and mishandling it, because if CP handled it properly, then that > rule would equate to any any dns accept and pass the dns traffic. > > I would go back to 2 rules: > ns_servers ANY DNS Accept > ANY ns_servers domain-udp Accept > > This lets your dns server make queries to anybody, but prevents just anybody > from doing a zone transfer with you. If somebody does zone transfers, > explicitly allow it with another rule allowing domain-tcp to your > ns_servers. > > Or, if you are content with your original rule with 'outside' in the source > and destination, use ANY ANY DNS Accept instead. It does the same thing, > though is not a good idea security-wise. > > > Jason > > > > -----Original Message----- > From: Tim Parker [mailto:[email protected]] > Sent: Monday, February 26, 2001 12:42 PM > To: 'Steve Dangerfield ([email protected])'; > [email protected] > Cc: [email protected] > Subject: RE: [FW1] Rule question > > > > Steve -- I have faced the same problem and am still confused.....if you have > the same sources and destinations (meaning they are both on both sides if > you will of the rule) why wouldn't or shouldn't it work....Is checkpoint not > intelligent enough for this? that would mean that anything you need or want > to have traffic going in and out of would need two lines which could make > for an exceptionally long rules list..... > > tim > > > -----Original Message----- > From: Steve Dangerfield ([email protected]) > [mailto:[email protected]] > Sent: Monday, February 26, 2001 10:11 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [FW1] Rule question > > > > Derek, > > It looks to me as though your DNS servers are sat on your internal network. > If they are then no connection from the internal DNS servers will pass > through the firewall to the Internal DNS servers. Your rule states, An > internal DNS wishing to connect to an Internal DNS server for DNS, Accept. > > It is good practice to simplify your rule base, for performance, but take > care, you can't just eliminate common elements. > > Steve. > > ----- Original Message ----- > From: Derek J. Lambert <[email protected]> > To: fw-1-mailinglist (E-mail) <[email protected]> > Sent: Monday, February 26, 2001 12:56 PM > Subject: [FW1] Rule question > > > > > > I was trying to consolidate my rulebase this weekend and found that what I > > thought should work didn't. I'm probably missing something really simply > > here, but I can't find it. I poured through the manuals and couldn't find > > any help (surprise surprise), nor could I find anything on phoneboy. Any > > help would be greatly appreciated! > > > > Here's the objects I have defined (fake ip's of course): > > > > Type Name Data > > workstation ns1 192.168.10.1/24 > > workstation ns2 192.168.10.2/24 > > service group DNS dns-udp, dns-tcp > > host group ns_servers ns1, ns2 > > network outside 0.0.0.0/0 > > > > Originally I had the following 2 rules defined to let dns traffic to > > specific hosts: > > > > Source Dest Service Action > > ------ ---- ------- ------ > > ns_servers outside DNS Allow > > ------------------------------------------------ > > outside ns_servers DNS Allow > > > > I tried to merge this into one rule as: > > > > Source Dest Service Action > > ------ ---- ------- ------ > > ns_nservers ns_servers DNS Allow > > outside outside > > > > This caused all dns traffic to be dropped (per the last rule). > > > > Derek J. Lambert, MCSE, A+ > > Network Administrator > > Columbia ParCar Corp. > > > > > > > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|