Re: Questions about converting FW-1 ruleset to PIX - sor t of...

[nick leachman <nleachman () gmail com>]

On 1/24/06, Ralf.Zessin () maxpert de <Ralf.Zessin () maxpert de> wrote:
> Hi Nick,
>
> > One of the checkpoint rules denies traffic from all internal networks
> > for a group of specific ports destined to a group that contains all of
> > the DMZ servers and also to the DMZ network itself - a DMZ object
> > group.
> >
> > My questions is: What is the purpose of having the the servers "and"
> > the dmz network listed in the destination? Is this necessary?
>
> No, the information is redundant. But if there is above a rule which
> explizit allows traffic which is blocked by this rule, this traffic
> has to go through.
>
> Checkpoint evaluates its rule form top to down and first ( not best )
> match is taken.
>
> But what is this for a rule-design where Ports/traffic are explicit denied
> if it
> was not an alert-rule ? Normaly all traffic has to be forbidden and
> I have to *allow* traffic by rules.
>
>         - Ralf

Thanks for the feedback Ralf - I'm glad to hear that I was
understanding the checkpoint rules correctly.

For the sake of trying to explain this checkpoint rule I
over-simplified it somewhat. It actually states "permit traffic
sourced from all internal networks to pass outbound (using the list of
ports) to anywhere EXCEPT the DMZ".

I guess this is a nice feature of the checkpoint to have a single rule
with this level of complexity; but I'd rather (we are creatures of
habit, after all :-) break it up into separate permit and deny rules.

Thanks again,
Nick
--
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards