[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Adding bad IP to firewall
Our IDS can do this. I don't see anything inherently wrong with the idea, but there is a lot of potential for things to go wrong. E.g. suppose your application is misconfigured (or hijacked) and starts telling the firewall to block everything, including control connections! Then you have a problem until the block times out. A subtle misconfiguration can be hard to track down. As long as you are confident about your application and configuration, go ahead and implement it after a LOT of testing... -----Original Message----- From: Wesley C. Maness [mailto:[email protected]] Sent: Monday, November 05, 2001 1:58 PM To: [email protected] Subject: [FW-1] Adding bad IP to firewall Guys, Can you tell me if there is anything wrong in having an application that can configure itself to an FW and tell it to block an IP ? Thanks! Wesley Mailing list for discussion of Firewall-1 <[email protected]> wrote: > Thanks for the reply but I have to change the architecture because I have done what you said and I cannot use the GUI client to get the logs from a management server on the heartbeat network either. I've checked the rule base very, verycarefully - it's not the rules stopping it from working. I hear you on the backup issue. I'm quite good a doing the backups before I change stuff! The real problem is that the heart beat network is a registered address. Crazy people did the original install. I'm left to pick up the pieces. Thanks again, Mike H -----Original Message----- From: Patrick Lotti [mailto:[email protected]] Sent: Monday, November 05, 2001 11:05 AM To: [email protected] Subject: Re: [FW-1] Changing firewall object IP address I think you just need a rule to allow a gui client from the "lan" to access your managment server in the "heartbeat" network. Maybe some NAT & routing is required as well, it depends. I'm pretty sure you don't have to change your firewall object at all. Get working backups and training before doing any change, just in case. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== > This electronic mail is intended only for the use of the addressee(s) named herein. Unless otherwise specifically stated, the views contained and expressed in this electronic mail are strictly those of the individual sender and are not the views of the Company or any of its Directors or other employees. If you are not the intended recipient of this electronic mail, you are hereby notified that any dissemination, distribution or coping of this electronic mail is strictly prohibited. If you received this electronic mail in error please immediately notify us by return electronic mail and delete this electronic mail from your system. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|