| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Rule question
The issue is based upon the object definition of outside. The creation of any
object as 0.0.0.0/0 is a mistake and problem for the underlying code. 0.0.0.0/0 is
traditionally treated by INSPECT as being the a) interface out of which a packet
travels, or b) the interface through which a packet enters the firewall.
There are some places where you simply cannot consolidate rules. This is one such
case.
CryptoTech
Tim Parker wrote:
> Steve -- I have faced the same problem and am still confused.....if you have
> the same sources and destinations (meaning they are both on both sides if
> you will of the rule) why wouldn't or shouldn't it work....Is checkpoint not
> intelligent enough for this? that would mean that anything you need or want
> to have traffic going in and out of would need two lines which could make
> for an exceptionally long rules list.....
>
> tim
>
> -----Original Message-----
> From: Steve Dangerfield ([email protected])
> [mailto:[email protected]]
> Sent: Monday, February 26, 2001 10:11 AM
> To: [email protected]
> Cc: [email protected]
> Subject: Re: [FW1] Rule question
>
> Derek,
>
> It looks to me as though your DNS servers are sat on your internal network.
> If they are then no connection from the internal DNS servers will pass
> through the firewall to the Internal DNS servers. Your rule states, An
> internal DNS wishing to connect to an Internal DNS server for DNS, Accept.
>
> It is good practice to simplify your rule base, for performance, but take
> care, you can't just eliminate common elements.
>
> Steve.
>
> ----- Original Message -----
> From: Derek J. Lambert <[email protected]>
> To: fw-1-mailinglist (E-mail) <[email protected]>
> Sent: Monday, February 26, 2001 12:56 PM
> Subject: [FW1] Rule question
>
> >
> > I was trying to consolidate my rulebase this weekend and found that what I
> > thought should work didn't. I'm probably missing something really simply
> > here, but I can't find it. I poured through the manuals and couldn't find
> > any help (surprise surprise), nor could I find anything on phoneboy. Any
> > help would be greatly appreciated!
> >
> > Here's the objects I have defined (fake ip's of course):
> >
> > Type Name Data
> > workstation ns1 192.168.10.1/24
> > workstation ns2 192.168.10.2/24
> > service group DNS dns-udp, dns-tcp
> > host group ns_servers ns1, ns2
> > network outside 0.0.0.0/0
> >
> > Originally I had the following 2 rules defined to let dns traffic to
> > specific hosts:
> >
> > Source Dest Service Action
> > ------ ---- ------- ------
> > ns_servers outside DNS Allow
> > ------------------------------------------------
> > outside ns_servers DNS Allow
> >
> > I tried to merge this into one rule as:
> >
> > Source Dest Service Action
> > ------ ---- ------- ------
> > ns_nservers ns_servers DNS Allow
> > outside outside
> >
> > This caused all dns traffic to be dropped (per the last rule).
> >
> > Derek J. Lambert, MCSE, A+
> > Network Administrator
> > Columbia ParCar Corp.
> >
> >
> >
> >
> >
> >
> ============================================================================
> ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|
|
