[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Any is not service any?
X11 is blocked although the rulebase allows it X11 is blocked by default when it is matched with rule that has "any" as the service. Use a rule above the "any" service rule explicitly using the X-11 service or revert to the previous behavior by setting the "reject_x11_in_any" global property to false using dbedit. This property was added for compatibility reasons, it is not recommended to change its default value. There used to be a list of ports that weren't allowed by "any" but I can't find it. Things like h.323 and x.11 fall into the category, check the lib directory on the manager that might give you some clues. Jp -----Original Message----- Subject: Re: [FW-1] Any is not service any? so, it should really read some some allow? :) >>> [email protected] 02/07/03 01:13PM >>> In accordance to Check Point engineers, ANY ANY ALLOW rule doesn't mean ANY protocol. There are just some certain protocols that are allowed but you have to specify many protocols manually in order to use them for your connections. So, create a separate rule for X.11 protocol. Best regards, Roman M. Zeltser, @National Computer Center DNE, RSIS Information Security Index <http://www.rtek2000.com/Tech/InternetSecureLinks.html> -----Original Message----- Subject: Re: [FW-1] Any is not service any? I am not sure why u didn't get a message in the info section of firewall log. It specifically says that if you want to allow X11 traffic you have to add a new rule for it. In FP3 "any" does not allow X traffic. -----Original Message----- Subject: [FW-1] Any is not service any? Hi, I have encountered a weird problem and wonder if anyone has an explanation? We have a Firewall-1 NG FP3 and a rule SIP/DIP/any/encrypt. When we tried to connect to a service on port TCP-6001 the firewall rejected the packet on the any-rule with no explanation, just reject...Why? The rule is service any. The solution was to add a rule above the any-rule and explicit accept the TCP-6001 traffic...My question is why? I know the port belongs to the TCP service X11 (tcp port 6000-6063) but this is not X11 traffic, they just use that port on the server. Thanks and Regards Petra ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|