[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Rule question
The issue is based upon the object definition of outside. The creation of any object as 0.0.0.0/0 is a mistake and problem for the underlying code. 0.0.0.0/0 is traditionally treated by INSPECT as being the a) interface out of which a packet travels, or b) the interface through which a packet enters the firewall. There are some places where you simply cannot consolidate rules. This is one such case. CryptoTech Tim Parker wrote: > Steve -- I have faced the same problem and am still confused.....if you have > the same sources and destinations (meaning they are both on both sides if > you will of the rule) why wouldn't or shouldn't it work....Is checkpoint not > intelligent enough for this? that would mean that anything you need or want > to have traffic going in and out of would need two lines which could make > for an exceptionally long rules list..... > > tim > > -----Original Message----- > From: Steve Dangerfield ([email protected]) > [mailto:[email protected]] > Sent: Monday, February 26, 2001 10:11 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [FW1] Rule question > > Derek, > > It looks to me as though your DNS servers are sat on your internal network. > If they are then no connection from the internal DNS servers will pass > through the firewall to the Internal DNS servers. Your rule states, An > internal DNS wishing to connect to an Internal DNS server for DNS, Accept. > > It is good practice to simplify your rule base, for performance, but take > care, you can't just eliminate common elements. > > Steve. > > ----- Original Message ----- > From: Derek J. Lambert <[email protected]> > To: fw-1-mailinglist (E-mail) <[email protected]> > Sent: Monday, February 26, 2001 12:56 PM > Subject: [FW1] Rule question > > > > > I was trying to consolidate my rulebase this weekend and found that what I > > thought should work didn't. I'm probably missing something really simply > > here, but I can't find it. I poured through the manuals and couldn't find > > any help (surprise surprise), nor could I find anything on phoneboy. Any > > help would be greatly appreciated! > > > > Here's the objects I have defined (fake ip's of course): > > > > Type Name Data > > workstation ns1 192.168.10.1/24 > > workstation ns2 192.168.10.2/24 > > service group DNS dns-udp, dns-tcp > > host group ns_servers ns1, ns2 > > network outside 0.0.0.0/0 > > > > Originally I had the following 2 rules defined to let dns traffic to > > specific hosts: > > > > Source Dest Service Action > > ------ ---- ------- ------ > > ns_servers outside DNS Allow > > ------------------------------------------------ > > outside ns_servers DNS Allow > > > > I tried to merge this into one rule as: > > > > Source Dest Service Action > > ------ ---- ------- ------ > > ns_nservers ns_servers DNS Allow > > outside outside > > > > This caused all dns traffic to be dropped (per the last rule). > > > > Derek J. Lambert, MCSE, A+ > > Network Administrator > > Columbia ParCar Corp. > > > > > > > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ Attachment:
smime.p7s
|