[fw-wiz] Questions about converting FW-1 ruleset to PIX - sort of...
- From: nick leachman <nleachman@xxxxxxxxx>
- Date: Mon, 23 Jan 2006 17:55:25 -0500
Hi,
I'm converting a set of rules from a checkpoint fw to a PIX 515e; and
I want to better understand a rule on the checkpoint. The questions
revolve more around thoroughness than the different models.
Both the checkpoint and the pix are three interface units with one dmz
each. For the discussion here the DMZ network address is
172.16.0.0/16.
One of the checkpoint rules denies traffic from all internal networks
for a group of specific ports destined to a group that contains all of
the DMZ servers and also to the DMZ network itself - a DMZ object
group.
My questions is: What is the purpose of having the the servers "and"
the dmz network listed in the destination? Is this necessary?
On the PIX my plan was to replace the above checkpoint rule with one similar to:
access-list deny tcp any 172.16.0.0 255.255.0.0 object-group
denied_dmz_tcp_ports
Am I opening a hole I don't understand by not denying traffic to both
the network and the servers, but instead only using the rule above?
Many thanks,
Nick
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: RE: [fw-wiz] RE: In defense of non standard ports
- Next by Date: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
- Previous by thread: [fw-wiz] RE: In defense of non standard ports
- Next by thread: RE: [fw-wiz] Questions about converting FW-1 ruleset to PIX - sort of...
- Index(es):
Relevant Pages
|
|
