Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Questions about converting FW-1 ruleset to PIX - sort of...

From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Tue, 24 Jan 2006 09:02:53 -0600
 
On Monday, January 23, 2006 4:55 PM, nick leachman so spake:
 

My questions is: What is the purpose of having the the servers "and"
the dmz network listed in the destination? Is this necessary?


How "old" is the CP? Perhaps those servers were at one time on a
different network than the "DMZ" and now that they are on the same
network the rule is now redundant. Because the rulesets usually change
over time, it is not out of the question that the rules made sense at
one point in time, but now do not.

The "deny by network" rule should cover it. Don't put in rules that
don't make sense. If you don't understand them, then you are apt to mess
them up and make things worse.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: