Firewall Wizards mailing list archives
RE: Gauntlet Rule Interpretation
From: Meenoo_Shivdasani () nai com
Date: Wed, 13 Feb 2002 16:47:22 -0600
However, some of our rules look like this: authenIP: permit-forward -if ef1 -proto * -srcaddr a.b.c.d:255.255.255.255 -dstaddr w.x.y.z:255.255.255.255 -srcport * -dstport * authenIP: permit-forward -if exp0 -proto * -dstaddr a.b.c.d:255.255.255.255 -srcaddr w.x.y.z:255.255.255.255 -dstport * -srcport * Surely such a rule would let SNMP traffic from a.b.c.d to w.x.y.z and vice-versa? Or am I missing something here?
The first rule allows any traffic that arrives on interface ef1, with a source address of a.b.c.d:255.255.255.255 and a destination address of w.x.y.z:255.255.255.255 to be forwarded through the firewall. The second rule allows any traffic that arrives on interface exp0, with a source address of a.b.c.d:255.255.255.255 and a destination address of w.x.y.z:255.255.255.255 to be forwarded through the firewall. If a.b.c.d:255.255.255.255 in the first rule = w.x.y.z:255.255.255.255 in the second rule and w.x.y.z:255.255.255.255 in the first rule = a.b.c.d:255.255.255.255 in the second rule, then any traffic between those two hosts would be passed. However, if the second rule is not the reverse of the first rule (in terms of IP addresses), the traffic would be permitted through the firewall, but no replies would be permitted back. If this is the case, you would see "No match in forward screen" errors in the logs. Also, unless w.x.y.z knows how to get back to a.b.c.d, the rule won't work because w.x.y.z won't know where to send the packets. M _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Gauntlet Rule Interpretation Johann van Duyn (Feb 13)
- Re: Gauntlet Rule Interpretation Marcus J. Ranum (Feb 13)
- <Possible follow-ups>
- RE: Gauntlet Rule Interpretation Meenoo_Shivdasani (Feb 13)