Firewall Wizards mailing list archives
RE: Questions about converting FW-1 ruleset to PIX - sor t of...
From: Ralf.Zessin () maxpert de
Date: Tue, 24 Jan 2006 13:50:13 +0100
Hi Nick,
One of the checkpoint rules denies traffic from all internal networks for a group of specific ports destined to a group that contains all of the DMZ servers and also to the DMZ network itself - a DMZ object group. My questions is: What is the purpose of having the the servers "and" the dmz network listed in the destination? Is this necessary?
No, the information is redundant. But if there is above a rule which explizit allows traffic which is blocked by this rule, this traffic has to go through. Checkpoint evaluates its rule form top to down and first ( not best ) match is taken. But what is this for a rule-design where Ports/traffic are explicit denied if it was not an alert-rule ? Normaly all traffic has to be forbidden and I have to *allow* traffic by rules. - Ralf _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Questions about converting FW-1 ruleset to PIX - sor t of... Ralf . Zessin (Jan 24)
- Re: Questions about converting FW-1 ruleset to PIX - sor t of... nick leachman (Jan 24)