RE: [fw-wiz] Questions about converting FW-1 ruleset to PIX - sor t of...



Hi Nick,

> One of the checkpoint rules denies traffic from all internal networks
> for a group of specific ports destined to a group that contains all of
> the DMZ servers and also to the DMZ network itself - a DMZ object
> group.
>
> My questions is: What is the purpose of having the the servers "and"
> the dmz network listed in the destination? Is this necessary?
>

No, the information is redundant. But if there is above a rule which
explizit allows traffic which is blocked by this rule, this traffic
has to go through.

Checkpoint evaluates its rule form top to down and first ( not best )
match is taken.

But what is this for a rule-design where Ports/traffic are explicit denied
if it
was not an alert-rule ? Normaly all traffic has to be forbidden and
I have to *allow* traffic by rules.

- Ralf
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • OWA and AD sites & Services
    ... end server is in our DMZ network and back end server is in our internal ... network They are separated by our firewall. ... The internal network and DMZ ... end server to the DMZ network I could access ...
    (microsoft.public.exchange.setup)
  • Help opening up TCP port 9000
    ... NIC to ISP with multiple real Internet IP addresses bound to it. ... Internal NIC to DMZ network. ... I then set up an access rule for port 9000: ...
    (microsoft.public.isa)
  • solstice backup 6 through firewall
    ... I have set up 2 clients which are in our dmz network. ... the server when I run the backup job -- ...
    (comp.unix.solaris)
  • Re: Trusted domain in the dmz
    ... your DMZ network.. ... For example you have your [internet (nasty ...
    (microsoft.public.windows.server.active_directory)