RE: [fw-wiz] Questions about converting FW-1 ruleset to PIX - sor t of...

Hi Nick,

> One of the checkpoint rules denies traffic from all internal networks
> for a group of specific ports destined to a group that contains all of
> the DMZ servers and also to the DMZ network itself - a DMZ object
> group.
> My questions is: What is the purpose of having the the servers "and"
> the dmz network listed in the destination? Is this necessary?

No, the information is redundant. But if there is above a rule which
explizit allows traffic which is blocked by this rule, this traffic
has to go through.

Checkpoint evaluates its rule form top to down and first ( not best )
match is taken.

But what is this for a rule-design where Ports/traffic are explicit denied
if it
was not an alert-rule ? Normaly all traffic has to be forbidden and
I have to *allow* traffic by rules.

- Ralf
firewall-wizards mailing list