Re: FW-1 "allow outbound"

[dwelch () uswestmail net]

On Tue, 18 January 2000, "Cannella, Michael (ISS Southfield)" wrote:

> > A question for the list while I am on the subject of FW-1. Does anybody
> know why the
> > 'Allow outbound connections' property has to be set on FW-1/NT for the fw
> to pass any
> > traffic? In my experience this property has the advertised effect on the
> Solaris
> > platform but will stop all traffic dead in the water if not enabled on the
> NT platform. 
>
> I have seen the same behavior difference between Solaris and NT, but only
> with http.  With telnet, for example, both seem to behave the same way.  And
> I have no explanation for why that occurs, although, for once, it's NT that
> exhibits the safer behavior.

If the HTTP Security Server is involved (i.e. if there's a HTTP resource or User Authentication), I can imagine the 
behaviour being slightly different. 

> This problem is quite apropos your comment about the (ahem) "limitations" of
> the Checkpoint docs, which are somewhat misleading:
>
> - the policy property help expressly indicates that the "allow outgoing"
> checkbox does not apply to traffic from the internal network.
>
> - the help for "outgoing connections" says--a bit more accurately--that
> traffic will only be allowed out from the firewall if either
>
>     *  "allow outgoing" is checked
> or
>     *  interface direction is set to "eitherbound," and there is a rule that
> allows the
>        traffic out.

You can also get in trouble if you have some rules installed on gateways, some some rules installed on specific target 
(FireWall-1 treats these rules as eitherbound), and interface direction is set to "inbound." 

--
Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com)
Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/
The views expressed herein are not necessarily those of anyone else.
--
Signup for your free USWEST.mail Email account http://www.uswestmail.net