Firewall Wizards mailing list archives
Questions about converting FW-1 ruleset to PIX - sort of...
From: nick leachman <nleachman () gmail com>
Date: Mon, 23 Jan 2006 17:55:25 -0500
Hi, I'm converting a set of rules from a checkpoint fw to a PIX 515e; and I want to better understand a rule on the checkpoint. The questions revolve more around thoroughness than the different models. Both the checkpoint and the pix are three interface units with one dmz each. For the discussion here the DMZ network address is 172.16.0.0/16. One of the checkpoint rules denies traffic from all internal networks for a group of specific ports destined to a group that contains all of the DMZ servers and also to the DMZ network itself - a DMZ object group. My questions is: What is the purpose of having the the servers "and" the dmz network listed in the destination? Is this necessary? On the PIX my plan was to replace the above checkpoint rule with one similar to: access-list deny tcp any 172.16.0.0 255.255.0.0 object-group denied_dmz_tcp_ports Am I opening a hole I don't understand by not denying traffic to both the network and the servers, but instead only using the rule above? Many thanks, Nick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Questions about converting FW-1 ruleset to PIX - sort of... nick leachman (Jan 23)
- <Possible follow-ups>
- RE: Questions about converting FW-1 ruleset to PIX - sort of... Behm, Jeffrey L. (Jan 24)