[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] any
Here's the lowdown: any ~~> DMZ1 ~~> any ~~> accept The purpose of this rule is to allow any traffic to another firewall hosted by another part of our internal organization(DMZ1). They are on a completely different network that is managed by this interface on my fw. Previous to our 4.1 sp3 (solaris) upgrade, we had to have two rules; one to allow anything to their firewall, and one to allow ipsec to their firewall, because the "all" in 4.0 was not "all" encompassing. So, with a little more detail, my question is can I use one rule that will allow "all" including ipsec to pass through the firewall to DMZ1? Casey DeBerry [email protected] Juan Concepcion wrote: > Jarrett, > > In the case of say a client sitting behind a firewall talking to > another client sitting on the other side of that firewall the IPSEC (ike, > esp, ah) are not covered by the ANY but have to be explicitly defined in > the rule to be allowed. Also if you are configuring this type of > communication you have to configure it bi-directionally, in other words you > need two rules. One allows the client to talk to the resource and the > other allows the resource to talk back to the client. > -- > Juan Concepcion > Network Security Consultant > CCSA/CCSE Certified > [email protected] > > On 2001.06.03 14:04 "Goetz, Jarrett" wrote: > > I am not positive what you are asking, but if I am understanding you > > clearly, as long as your encryption rule is configured properly in terms > > of > > the action (i.e. client encrypt, encrypt, etc.) then yes, from what I > > understand those services would be "included" so to speak if you put ANY > > in > > the service column. > > > > Always keep in mind, ANY in your rulebase is not a good thing :), from a > > security perspective your best off to strive to keep the amount of ANY's > > in > > your rulebase to a minimum. > > > > Jarrett > > > > -----Original Message----- > > From: Casey DeBerry [mailto:[email protected]] > > Sent: Friday, June 01, 2001 13:15 > > To: firewall-1 mailing list > > Subject: [FW1] any > > > > > > Is ipsec encryption and all other modules (AH, ESP, IKE etc.) contained > > in "ANY" service? > > > > Thanks, > > Casey DeBerry > > [email protected] > > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > > <HTML> > > <HEAD> > > <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> > > <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"> > > <TITLE>RE: [FW1] any</TITLE> > > </HEAD> > > <BODY> > > > > <P><FONT SIZE=2>I am not positive what you are asking, but if I am > > understanding you clearly, as long as your encryption rule is configured > > properly in terms of the action (i.e. client encrypt, encrypt, etc.) then > > yes, from what I understand those services would be "included" > > so to speak if you put ANY in the service column.</FONT></P> > > > > <P><FONT SIZE=2>Always keep in mind, ANY in your rulebase is not a good > > thing :), from a security perspective your best off to strive to keep the > > amount of ANY's in your rulebase to a minimum.</FONT></P> > > > > <P><FONT SIZE=2>Jarrett</FONT> > > </P> > > > > <P><FONT SIZE=2>-----Original Message-----</FONT> > > <BR><FONT SIZE=2>From: Casey DeBerry [<A > > HREF="mailto:[email protected]">mailto:[email protected]</A>]</FONT> > > <BR><FONT SIZE=2>Sent: Friday, June 01, 2001 13:15</FONT> > > <BR><FONT SIZE=2>To: firewall 1 mailing list</FONT> > > <BR><FONT SIZE=2>Subject: [FW1] any</FONT> > > </P> > > <BR> > > > > <P><FONT SIZE=2>Is ipsec encryption and all other modules (AH, ESP, IKE > > etc.) contained</FONT> > > <BR><FONT SIZE=2>in "ANY" service?</FONT> > > </P> > > > > <P><FONT SIZE=2>Thanks,</FONT> > > <BR><FONT SIZE=2>Casey DeBerry</FONT> > > <BR><FONT SIZE=2>[email protected]</FONT> > > </P> > > > > </BODY> > > </HTML> begin:vcard n:DeBerry;Casey tel;cell:tel;fax:tel;work:x-mozilla-html:FALSE org:Navidec Inc.;Operations version:2.1 email;internet:[email protected] title:Security Engineer adr;quoted-printable:;;6399 S. Fiddlers Green Circle=0D=0A#300;Greenwood Village;Colorado;80111;USA fn:Casey DeBerry end:vcard
|