Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] any fw any drop as first rule - are we locked out?

To: [email protected]
Subject: Re: [FW-1] any fw any drop as first rule - are we locked out?
From: Bob Webber/Markham/Contr/AT&T/IJV <[email protected]>
Date: Tue, 9 Apr 2002 09:36:07 -0400
Importance: Normal
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Sensitivity:

Hi:

Good question!

My guess is that when Checkpoint wrote up their documentation, they forgot
about distributed management scenarios. IIRC, Checkpoint's documentation
seems to assume that the firewall will be managed only from the system
console. I would suggest that you should put in a rule specificaly permit
your EMC / P1 to manage the firewall (plus telnet or ssh to the firewall
from other trusted hosts) and drop all other traffic to the firewall.

Checkpoint's suggestions are just that - suggestions. Your requirements may
be different from their ideal best practices, and there is nothing wrong
with that. Checkpoint even provides functionality that contradicts their
own advice - FW-1 has the ability  to do mail store and relay, but this
flat out contradicts the maxim that the first rule of the policy should
drop all traffic that is sent directly to the firewall.

Regards.

Bob Webber
AT&T Global Network Services
Tel:Fax:Notes: Bob Webber/Markham/IBM@IBMCA
Internet: [email protected]

"Logic merely enables one to be wrong with authority" - Doctor Who


BH <[email protected]>@beethoven.us.checkpoint.com> on 04/08/2002
11:49:50 PM

Please respond to Mailing list for discussion of Firewall-1
       <[email protected]>

Sent by:    Mailing list for discussion of Firewall-1
       <[email protected]>


To:    [email protected]
cc:
Subject:    [FW-1] any fw any drop as first rule - are we locked out?



if the first rule in a rulebase is any fw any drop  how does on
re-establish connections from mgmt station to fw module to download new
policies?
Thanks in advance
b

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] any fw any drop as first rule - are we locked out?
Next by Date: Re: [FW-1] Strange messages @ fwstart & fwstop
Previous by thread: Re: [FW-1] any fw any drop as first rule - are we locked out?
Next by thread: Re: [FW-1] any fw any drop as first rule - are we locked out?
Index(es):
- Date
- Thread