Questions about converting FW-1 ruleset to PIX - sort of...

[nick leachman <nleachman () gmail com>]

Hi,

I'm converting a set of rules from a checkpoint fw to a PIX 515e; and
I want to better understand a rule on the checkpoint. The questions
revolve more around thoroughness than the  different models.

Both the checkpoint and the pix are three interface units with one dmz
each. For the discussion here the DMZ network address is
172.16.0.0/16.

One of the checkpoint rules denies traffic from all internal networks
for a group of specific ports destined to a group that contains all of
the DMZ servers and also to the DMZ network itself - a DMZ object
group.

My questions is: What is the purpose of having the the servers "and"
the dmz network listed in the destination? Is this necessary?

On the PIX my plan was to replace the above checkpoint rule with one similar to:

access-list deny tcp any 172.16.0.0 255.255.0.0 object-group
denied_dmz_tcp_ports

Am I opening a hole I don't understand by not denying traffic to both
the network and the servers, but instead only using the rule above?

Many thanks,
Nick
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards