Re: [fw-wiz] Questions about converting FW-1 ruleset to PIX - sor t of...

On 1/24/06, Ralf.Zessin@xxxxxxxxxx <Ralf.Zessin@xxxxxxxxxx> wrote:
> Hi Nick,
>
> > One of the checkpoint rules denies traffic from all internal networks
> > for a group of specific ports destined to a group that contains all of
> > the DMZ servers and also to the DMZ network itself - a DMZ object
> > group.
> >
> > My questions is: What is the purpose of having the the servers "and"
> > the dmz network listed in the destination? Is this necessary?
> >
>
> No, the information is redundant. But if there is above a rule which
> explizit allows traffic which is blocked by this rule, this traffic
> has to go through.
>
> Checkpoint evaluates its rule form top to down and first ( not best )
> match is taken.
>
> But what is this for a rule-design where Ports/traffic are explicit denied
> if it
> was not an alert-rule ? Normaly all traffic has to be forbidden and
> I have to *allow* traffic by rules.
>
> - Ralf
>

Thanks for the feedback Ralf - I'm glad to hear that I was
understanding the checkpoint rules correctly.

For the sake of trying to explain this checkpoint rule I
over-simplified it somewhat. It actually states "permit traffic
sourced from all internal networks to pass outbound (using the list of
ports) to anywhere EXCEPT the DMZ".

I guess this is a nice feature of the checkpoint to have a single rule
with this level of complexity; but I'd rather (we are creatures of
habit, after all :-) break it up into separate permit and deny rules.

Thanks again,
Nick
--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Access from DMZ Was: AD in the DMZ . . . OK?
    ... we have to provide some access to our internal networks either from the ... DMZ or from the internet. ... All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. ...
    (Security-Basics)
  • Re: Access from DMZ Was: AD in the DMZ . . . OK?
    ... >> DMZ to the DC, ... we have to provide some access to our internal networks ... > direct Internet connections into you secure network (even VPN ...
    (Security-Basics)
  • Re: VPN Question
    ... Subject: VPN Question ... (this is a pure question of choice) I don't want to have a DMZ ... > device direct access into the internal networks? ...
    (Security-Basics)