Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Any is not service any?

To: [email protected]
Subject: Re: [FW-1] Any is not service any?
From: jim parker <[email protected]>
Date: Sat, 8 Feb 2003 10:02:33 -0000
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

X11 is blocked although the rulebase allows it
X11 is blocked by default when it is matched with rule that has "any" as the
service.

Use a rule above the "any" service rule explicitly using the X-11 service or
revert to the previous behavior by setting the "reject_x11_in_any" global
property to false using dbedit. This property was added for compatibility
reasons, it is not recommended to change its default value.

There used to be a list of ports that weren't allowed by "any" but I can't
find it. Things like h.323 and x.11 fall into the category, check the lib
directory on the manager that might give you some clues.

Jp




-----Original Message-----
Subject: Re: [FW-1] Any is not service any?


so, it should really read some some allow?  :)

>>> [email protected] 02/07/03 01:13PM >>>
In accordance to Check Point engineers, ANY ANY ALLOW rule doesn't mean ANY
protocol. There are just some certain protocols that are allowed but you
have to specify many protocols manually in order to use them for your
connections. So, create a separate rule for X.11 protocol.



Best regards,

Roman M. Zeltser,

@National Computer Center

DNE, RSIS

Information Security Index
<http://www.rtek2000.com/Tech/InternetSecureLinks.html>

-----Original Message-----
Subject: Re: [FW-1] Any is not service any?



I am not sure why u didn't get a message in the info section of  firewall
log.

It specifically says that if you want to allow X11 traffic you have to add a
new rule for it. In FP3 "any" does not allow X traffic.



-----Original Message-----
Subject: [FW-1] Any is not service any?



Hi,

I have encountered a weird problem and wonder if anyone has an explanation?
We have a Firewall-1 NG FP3 and a rule SIP/DIP/any/encrypt. When we tried to

connect to a service on port TCP-6001 the firewall rejected the packet on
the any-rule with no explanation, just reject...Why? The rule is service
any. The solution was to add a rule above the any-rule and explicit accept
the TCP-6001 traffic...My question is why? I know the port belongs to the
TCP service X11 (tcp port 6000-6063) but this is not X11 traffic, they just
use that port on the server.

Thanks and Regards
Petra

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] Any is not service any?
  - From: Kim Longenbaugh <[email protected]>

Prev by Date: Re: [FW-1] Stopping remote linking.....
Next by Date: [FW-1] NG FP3 Policy Fetch Fails
Previous by thread: Re: [FW-1] Any is not service any?
Next by thread: Re: [FW-1] Where is the rulebase on the Nokia??
Index(es):
- Date
- Thread