Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Questions about converting FW-1 ruleset to PIX - sor t of...

From: Ralf.Zessin () maxpert de
Date: Tue, 24 Jan 2006 13:50:13 +0100
Hi Nick,


One of the checkpoint rules denies traffic from all internal networks
for a group of specific ports destined to a group that contains all of
the DMZ servers and also to the DMZ network itself - a DMZ object
group.

My questions is: What is the purpose of having the the servers "and"
the dmz network listed in the destination? Is this necessary?



No, the information is redundant. But if there is above a rule which
explizit allows traffic which is blocked by this rule, this traffic 
has to go through.

Checkpoint evaluates its rule form top to down and first ( not best )
match is taken.

But what is this for a rule-design where Ports/traffic are explicit denied
if it
was not an alert-rule ? Normaly all traffic has to be forbidden and
I have to *allow* traffic by rules.

        - Ralf
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: