RE: Gauntlet Rule Interpretation

[Meenoo_Shivdasani () nai com]

> However, some of our rules look like this:
>
>         authenIP: permit-forward -if ef1 -proto * -srcaddr
> a.b.c.d:255.255.255.255 -dstaddr w.x.y.z:255.255.255.255 -srcport *
> -dstport *
>         authenIP: permit-forward -if exp0 -proto * -dstaddr
> a.b.c.d:255.255.255.255 -srcaddr w.x.y.z:255.255.255.255 -dstport *
> -srcport *
>
> Surely such a rule would let SNMP traffic from a.b.c.d to w.x.y.z and
> vice-versa? Or am I missing something here?

The first rule allows any traffic that arrives on interface ef1, with a
source address of a.b.c.d:255.255.255.255 and a destination address of
w.x.y.z:255.255.255.255 to be forwarded through the firewall.

The second rule allows any traffic that arrives on interface exp0, with a
source address of a.b.c.d:255.255.255.255 and a destination address of
w.x.y.z:255.255.255.255 to be forwarded through the firewall.

If a.b.c.d:255.255.255.255 in the first rule = w.x.y.z:255.255.255.255 in
the second rule and w.x.y.z:255.255.255.255 in the first rule =
a.b.c.d:255.255.255.255 in the second rule, then any traffic between those
two hosts would be passed.

However, if the second rule is not the reverse of the first rule (in terms
of IP addresses), the traffic would be permitted through the firewall, but
no replies would be permitted back.  If this is the case, you would see "No
match in forward screen" errors in the logs.

Also, unless w.x.y.z knows how to get back to a.b.c.d, the rule won't work
because w.x.y.z won't know where to send the packets.

M
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards