[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Rule question
I'm not an expert on this, but we have rules to control outbound connections and others to control inbound. It does add a bit of complexity as far as number of rules, but it is relatively simple to keep track of what rule does what. We put the outbound rules at the top of the list, inbound ones after those, intending to provide quicker rule processing for our internal users. I think that if we tried to combine inbound and outbound rules, if it were possible at all, the rule set would get too convoluted to understand in a pinch, and it's usually in a pinch that I'mm looking at it... -----Original Message----- From: Tim Parker [mailto:[email protected]] Sent: Monday, February 26, 2001 10:42 AM To: 'Steve Dangerfield ([email protected])'; [email protected] Cc: [email protected] Subject: RE: [FW1] Rule question Steve -- I have faced the same problem and am still confused.....if you have the same sources and destinations (meaning they are both on both sides if you will of the rule) why wouldn't or shouldn't it work....Is checkpoint not intelligent enough for this? that would mean that anything you need or want to have traffic going in and out of would need two lines which could make for an exceptionally long rules list..... tim -----Original Message----- From: Steve Dangerfield ([email protected]) [mailto:[email protected]] Sent: Monday, February 26, 2001 10:11 AM To: [email protected] Cc: [email protected] Subject: Re: [FW1] Rule question Derek, It looks to me as though your DNS servers are sat on your internal network. If they are then no connection from the internal DNS servers will pass through the firewall to the Internal DNS servers. Your rule states, An internal DNS wishing to connect to an Internal DNS server for DNS, Accept. It is good practice to simplify your rule base, for performance, but take care, you can't just eliminate common elements. Steve. ----- Original Message ----- From: Derek J. Lambert <[email protected]> To: fw-1-mailinglist (E-mail) <[email protected]> Sent: Monday, February 26, 2001 12:56 PM Subject: [FW1] Rule question > > I was trying to consolidate my rulebase this weekend and found that what I > thought should work didn't. I'm probably missing something really simply > here, but I can't find it. I poured through the manuals and couldn't find > any help (surprise surprise), nor could I find anything on phoneboy. Any > help would be greatly appreciated! > > Here's the objects I have defined (fake ip's of course): > > Type Name Data > workstation ns1 192.168.10.1/24 > workstation ns2 192.168.10.2/24 > service group DNS dns-udp, dns-tcp > host group ns_servers ns1, ns2 > network outside 0.0.0.0/0 > > Originally I had the following 2 rules defined to let dns traffic to > specific hosts: > > Source Dest Service Action > ------ ---- ------- ------ > ns_servers outside DNS Allow > ------------------------------------------------ > outside ns_servers DNS Allow > > I tried to merge this into one rule as: > > Source Dest Service Action > ------ ---- ------- ------ > ns_nservers ns_servers DNS Allow > outside outside > > This caused all dns traffic to be dropped (per the last rule). > > Derek J. Lambert, MCSE, A+ > Network Administrator > Columbia ParCar Corp. > > > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|