Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] true or false

To: [email protected]
Subject: Re: [FW-1] true or false
From: "Reed Mohn, Anders" <[email protected]>
Date: Wed, 21 Nov 2001 10:41:19 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Not quite sure I read this the same way as you.

According to the article, this only applies when
User Auth is in use. Thus, if the rule base matches a
rule, that is NOT a User Auth-rule, processing will stop.

Consider the example from the article (see article for reference rule base):

*       Users in the DMZAdmins group who telnet or ftp from the
internal-nets to the ftp server in the dmz-net will have authenticated
access to all servers in the dmz-net. However, rule 3 appears before rule 5,
so they will not be required to authenticate themselves at the firewall nor
will their connection be folded into the appropriate security server.
Ordering the rules differently will not solve this problem, but it would
cause the connection to be folded into the security servers. If they were in
different order, the more permissive rule would still apply (the current
rule 3), so it wouldn't accomplish much.

Here, it will traverse the rule base, top-down. It hit's rule three, which
permits the traffic.
Now, there is no need to continue traversing the rule base, because, as the
text says: reordering
the rules is _not_ going to change the outcome. Thus, processing can stop at
this point.
If you _do_ reorder the rules (switch #5 and #3), it will hit the User Auth
rule first. This time,
it will continue traversing the rule base, looking for a less restrictive
rule further down.
Whether it now looks for the first possible match, or the best possible
match, I don't know.

Cheers,
Anders :)




-----Original Message-----
From: Holland, Stephen [mailto:[email protected]]
Sent: 20. november 2001 19:44
To: [email protected]
Subject: [FW-1] true or false



According to this article http://www.phoneboy.com/faq/0181.html
<http://www.phoneboy.com/faq/0181.html>  each connection attempt through CP
is required to traverse the entire rule base.  In my training I thought I
was told once a rule matches a connection attempt the connection is accepted
or dropped.  Is this not the case with CP?

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Follow-Ups:
- Re: [FW-1] true or false
  - From: Jörg Oertel <[email protected]>

Prev by Date: Re: [FW-1] Dual Processor CPU - License
Next by Date: [FW-1] Log files
Previous by thread: Re: [FW-1] true or false
Next by thread: Re: [FW-1] true or false
Index(es):
- Date
- Thread