Firewall Wizards mailing list archives
Re: FW-1 "allow outbound"
From: dwelch () uswestmail net
Date: 26 Jan 2000 00:23:48 -0800
On Tue, 18 January 2000, "Cannella, Michael (ISS Southfield)" wrote:
A question for the list while I am on the subject of FW-1. Does anybodyknow why the'Allow outbound connections' property has to be set on FW-1/NT for the fwto pass anytraffic? In my experience this property has the advertised effect on theSolarisplatform but will stop all traffic dead in the water if not enabled on theNT platform. I have seen the same behavior difference between Solaris and NT, but only with http. With telnet, for example, both seem to behave the same way. And I have no explanation for why that occurs, although, for once, it's NT that exhibits the safer behavior.
If the HTTP Security Server is involved (i.e. if there's a HTTP resource or User Authentication), I can imagine the behaviour being slightly different.
This problem is quite apropos your comment about the (ahem) "limitations" of the Checkpoint docs, which are somewhat misleading: - the policy property help expressly indicates that the "allow outgoing" checkbox does not apply to traffic from the internal network. - the help for "outgoing connections" says--a bit more accurately--that traffic will only be allowed out from the firewall if either * "allow outgoing" is checked or * interface direction is set to "eitherbound," and there is a rule that allows the traffic out.
You can also get in trouble if you have some rules installed on gateways, some some rules installed on specific target (FireWall-1 treats these rules as eitherbound), and interface direction is set to "inbound." -- Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com) Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/ The views expressed herein are not necessarily those of anyone else. -- Signup for your free USWEST.mail Email account http://www.uswestmail.net
Current thread:
- FW-1 "allow outbound" Cannella, Michael (ISS Southfield) (Jan 18)
- <Possible follow-ups>
- Re: FW-1 "allow outbound" dwelch (Jan 28)