[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] true or false
Not quite sure I read this the same way as you. According to the article, this only applies when User Auth is in use. Thus, if the rule base matches a rule, that is NOT a User Auth-rule, processing will stop. Consider the example from the article (see article for reference rule base): * Users in the DMZAdmins group who telnet or ftp from the internal-nets to the ftp server in the dmz-net will have authenticated access to all servers in the dmz-net. However, rule 3 appears before rule 5, so they will not be required to authenticate themselves at the firewall nor will their connection be folded into the appropriate security server. Ordering the rules differently will not solve this problem, but it would cause the connection to be folded into the security servers. If they were in different order, the more permissive rule would still apply (the current rule 3), so it wouldn't accomplish much. Here, it will traverse the rule base, top-down. It hit's rule three, which permits the traffic. Now, there is no need to continue traversing the rule base, because, as the text says: reordering the rules is _not_ going to change the outcome. Thus, processing can stop at this point. If you _do_ reorder the rules (switch #5 and #3), it will hit the User Auth rule first. This time, it will continue traversing the rule base, looking for a less restrictive rule further down. Whether it now looks for the first possible match, or the best possible match, I don't know. Cheers, Anders :) -----Original Message----- From: Holland, Stephen [mailto:[email protected]] Sent: 20. november 2001 19:44 To: [email protected] Subject: [FW-1] true or false According to this article http://www.phoneboy.com/faq/0181.html <http://www.phoneboy.com/faq/0181.html> each connection attempt through CP is required to traverse the entire rule base. In my training I thought I was told once a rule matches a connection attempt the connection is accepted or dropped. Is this not the case with CP? =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|