[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] any
This is true, but not when you want to pass encrypted traffic as a SERVICE, such as: MyPC -- ExternalServer -- PPTP Accept ExternalServer -- MyPC -- PPTP Accept Or: InternalNortel -- VendorNortel -- IPSec -- Accept VendorNortel -- InternalNortel -- IPSec -- Accept I have such a Nortel VPN setup, for example. This is what I thought was being asked -- hence, the question about the Service. Perhaps I jumped on it too quickly :) Thanks -- Chris --- Scott Friedman <[email protected]> wrote: > remote_domain ¯> local_domain ¯> any ¯> encrypt > works fine. > > Scott J. Friedman, MCSE CCSE > Security Engineer > Ideal Technology Solutions, Inc > Email : [email protected] > Phone :> > > >>> Chris F <[email protected]> 06/05/01 02:44PM > >>> > > Hi, > > In my experience, FW1 will not handle encrypted > packets correctly unless you explicitly list the > service (e.g. PPTP). > > I would recommend explicitly listing any and all > encryption rules *and* have them at the TOP of your > rulebase. I also had some FW1 confusion with some > "Any" rules when I had encryption rules listed after > it. This is the only exception that I know of to > "put > your most used rules first". > > HTH -- Chris > > > --- "Goetz, Jarrett" <[email protected]> wrote: > > I am not positive what you are asking, but if I am > > understanding you > > clearly, as long as your encryption rule is > > configured properly in terms of > > the action (i.e. client encrypt, encrypt, etc.) > then > > yes, from what I > > understand those services would be "included" so > to > > speak if you put ANY in > > the service column. > > > > Always keep in mind, ANY in your rulebase is not a > > good thing :), from a > > security perspective your best off to strive to > keep > > the amount of ANY's in > > your rulebase to a minimum. > > > > Jarrett > > > > -----Original Message----- > > From: Casey DeBerry [mailto:[email protected]] > > Sent: Friday, June 01, 2001 13:15 > > To: firewall-1 mailing list > > Subject: [FW1] any > > > > > > Is ipsec encryption and all other modules (AH, > ESP, > > IKE etc.) contained > > in "ANY" service? > > > > Thanks, > > Casey DeBerry > > [email protected] > > > > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - > only $35 > a year! http://personal.mail.yahoo.com/ > > > ================================================================================ > To unsubscribe from this mailing list, please > see the instructions at > > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|