| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Policy question - FW-1 1.4.2
- To: [email protected]
- Subject: Re: [FW-1] Policy question - FW-1 1.4.2
- From: "Roelandts, Guy" <[email protected]>
- Date: Fri, 15 Feb 2002 11:20:28 +0100
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcG2CCTheQXpc2jrT++IwzI5RswoRQAAfEOQ
- Thread-topic: [FW-1] Policy question - FW-1 1.4.2
Gordon,
This should be very simple. In the source select your Internal
Network group,
then highlight it, right-click and select negate (or negate-cell if NG
is in use).
Met vriendelijke groeten - Bien a vous - Kind regards
Guy ROELANDTS
EMEA GS Internet Expertise Centre - CCSA & CCSE
Compaq Software Engineer - Belgium
E-mail : [email protected]
Tel: +32(02)729.77.44 (options 3 - 3 - 1)
Fax: +32(02)729.77.65
==========================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated. Should you receive this message by mistake
please inform the sender immediately.
==========================================================
-----Original Message-----
From: Gordon Webber [mailto:[email protected]]
Sent: 15 February 2002 10:25
To: [email protected]
Subject: [FW-1] Policy question - FW-1 1.4.2
Hi All,
I am trying to add rules to my policy that will selectively allow port
80
access to my DMZ servers.
I can specifically code the source addresses for internal clients, but
obviously not for the WWW users.
If I add a line like - "any DMZ www accept fw-cluster" -
I
immediately make all specific rules for www access redundant !
So I need some way of identifying the Internet users with a global
network
object ?
I could do this if I knew how to code a "negative" rule (ie "if the
source
address is not from my internal network, then it must be the Internet")
but
I can find no way of doing this in the Policy Editor.
Just for the record, this is easier with PIX since the rules are applied
relative to the interface.
I know I can code access-lists in FW-1, but have never tried ; is this a
solution ?
Any suggestions.... please ! (while I still have some hair left )
Thanks in advance,
Gordon
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
