Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] any

To: Scott Friedman <[email protected]>, [email protected], [email protected]
Subject: RE: [FW1] any
From: "Goetz, Jarrett" <[email protected]>
Date: Fri, 8 Jun 2001 00:19:40 -0400
Cc: [email protected]
Sender: [email protected]

Title: RE: [FW1] any

That is what I thought they were asking, but I think he is talking about the rule that accepts the ESP/AH transaction and the IKE packets outside of the actual tunnel.....

Jarrett

-----Original Message-----
From: Scott Friedman [mailto:[email protected]]
Sent: Wednesday, June 06, 2001 09:38
To: Goetz, Jarrett; [email protected]; [email protected]
Cc: [email protected]
Subject: RE: [FW1] any

remote_domain ?> local_domain ?> any ?> encrypt works fine.

Scott J. Friedman, MCSE CCSE
Security Engineer
Ideal Technology Solutions, Inc
Email : [email protected]
Phone :

>>> Chris F <[email protected]> 06/05/01 02:44PM >>>

Hi,

In my experience, FW1 will not handle encrypted
packets correctly unless you explicitly list the
service (e.g. PPTP).

I would recommend explicitly listing any and all
encryption rules *and* have them at the TOP of your
rulebase. I also had some FW1 confusion with some
"Any" rules when I had encryption rules listed after
it. This is the only exception that I know of to "put
your most used rules first".

HTH -- Chris

--- "Goetz, Jarrett" <[email protected]> wrote:
> I am not positive what you are asking, but if I am
> understanding you
> clearly, as long as your encryption rule is
> configured properly in terms of
> the action (i.e. client encrypt, encrypt, etc.) then
> yes, from what I
> understand those services would be "included" so to
> speak if you put ANY in
> the service column.
>
> Always keep in mind, ANY in your rulebase is not a
> good thing :), from a
> security perspective your best off to strive to keep
> the amount of ANY's in
> your rulebase to a minimum.
>
> Jarrett
>
> -----Original Message-----
> From: Casey DeBerry [mailto:[email protected]]
> Sent: Friday, June 01, 2001 13:15
> To: firewall-1 mailing list
> Subject: [FW1] any
>
>
> Is ipsec encryption and all other modules (AH, ESP,
> IKE etc.) contained
> in "ANY" service?
>
> Thanks,
> Casey DeBerry
> [email protected]
>

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/

================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] List of FW1 Supported Applications/Protocols throu NAT
Next by Date: RE: [FW1] IPSO 3.4 available *and* FW-1 4.1 SP4
Previous by thread: RE: [FW1] any
Next by thread: [FW1] Summary: NAT - Manual or Auto??
Index(es):
- Date
- Thread