RE: [fw-wiz] Questions about converting FW-1 ruleset to PIX - sor t of...



Hi Nick,

> One of the checkpoint rules denies traffic from all internal networks
> for a group of specific ports destined to a group that contains all of
> the DMZ servers and also to the DMZ network itself - a DMZ object
> group.
>
> My questions is: What is the purpose of having the the servers "and"
> the dmz network listed in the destination? Is this necessary?
>

No, the information is redundant. But if there is above a rule which
explizit allows traffic which is blocked by this rule, this traffic
has to go through.

Checkpoint evaluates its rule form top to down and first ( not best )
match is taken.

But what is this for a rule-design where Ports/traffic are explicit denied
if it
was not an alert-rule ? Normaly all traffic has to be forbidden and
I have to *allow* traffic by rules.

- Ralf
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards