Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] a little OT: Router/Firewall Issues

To: [email protected]
Subject: Re: [FW-1] a little OT: Router/Firewall Issues
From: Joe Pampel <[email protected]>
Date: Tue, 27 Nov 2001 11:08:46 -0500
Comments: To: [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Sounds like you're on the right track.

I would:
Create users.
Create groups
Add users to the correct group, in this case one group for email, another for internet access.

Rule for the email group:
Email-group    any(or server)     smtp/POP3     Allow     Accounting (or just permit)
Any(or server)     Email Group    smtp/POP3    Allow     Accounting (or just permit)

Rule for internet access:
Internet group    any                   http/https     allow      Accounting (or just permit)

last rule in rulebase is assumed to be:
any        any     any     deny     Log

Assuming you don't have rules that counteract these, I think they ought to work.

Hope that helps,

Joe

>>> saman kumara dissanayake <[email protected]> 11/27/01 12:06PM >>>
i am using fw-1 on nt .it is working fine.but i want to configre it to as
follows

set of people only for email access
set of people only for internet access

i ty like this

i create user
i create groups
if i put rules and servises it is not working

clients are using tcp/ip .how i popup password if their are try to access
internet.

plese try to advise me

saman


----- Original Message -----
From: "Joe Pampel" <[email protected]>
To: <[email protected]>
Sent: Tuesday, November 27, 2001 11:42 AM
Subject: Re: [FW-1] a little OT: Router/Firewall Issues


> In the case of BGP, you'd just have a rule leaving 179/tcp open from
router to router through the FW. (also a good idea to lock down BGP with an
ACL in the router, see Rob Thomas's secure BGP config page) The FW would not
have to support the protocol.. just let it through. The routes on the FW can
(and should be IMHO) be static.
>
> HTH
>
> Joe
>
> >>> "Reed Mohn, Anders" <[email protected]> 11/27/01
04:02AM >>>
> Well, as I said in my post, I'm not too familiar with the routing
> protocols, so I'm not usre about these things:
>
> 1. Can the firewall in question support these routing protocols?
>    (That depends on the OS, I guess)
> 2. If not, can the internal router see that the link is down,
>    even if it's "next hop" is up?
>    I mean, if you have
>      |rtr1| ---- |FW| --- |rtr2| --- |Internet|
>    will rtr1 be able to see that the link from rtr2 to
>    the Internet is down?
>
> Cheers,
> Anders :)
>
>
> -----Original Message-----
> From: Dan Hitchcock [mailto:[email protected]]
> Sent: 26. november 2001 17:56
> To: [email protected]
> Subject: Re: [FW-1] Router/Firewall Issues
>
>
>
> Aren't we just talking about running a routing protocol here, as Anders
> suggested?  Yes, you'll need to configure static routing (or use an
internal
> routing protocol) to ensure that all devices on each subnet (including the
> firewalls) know how to get to the other subnet.  In order to automate the
> failover, you'll need to use a routing protocol like EIGRP, BGP, or OSPF
on
> your external router to detect the "down" connection and instruct your
> internal routers, A-1 or B-1, to use the T1 as default rather than the
local
> firewall.  Your internal clients will therefore need to use the internal
> routers as their default gateway (A-1 at siteA, B-1 at siteB).  You may
have
> best success passing BGP through your firewall.
>
> HTH - please post with further questions.
>
> Dan Hitchcock
> CCNP, CCSE, MCSE
> Security Analyst
> Breakwater Security Associates, Inc.
> "Safe Harbor for E-Business"
> dhitchcock (at) breakwatersecurity (dot) com
> http://www.breakwatersecurity.com <http://www.breakwatersecurity.com>
>work
>
> The information contained in this email message may be privileged,
> confidential and protected from disclosure.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you think you have received this email message in error,
> please email the sender at [email protected]
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: [FW-1] nokia and trunking
Next by Date: [FW-1] FW1 Linkage problem
Previous by thread: Re: [FW-1] a little OT: Router/Firewall Issues
Next by thread: [FW-1] Derek Voller is out of the office.
Index(es):
- Date
- Thread