[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Meaning of Negate on a drop rule?
Hi, Your rule doesn't math for packets originating from 10.10.10.1 - and so http will not be dropped - but also not accepted by this rule. The matching is decided by FW-1 in the first three columns, Source, Dest, and Service. So if this rule doesn't match, you will need another rule matching for 10.10.10.1 and accepting http. If you don't want to have http accepted to 192.168.10.1 - why forbidding it in an explicite rule? Http to this machine will be dropped by the Clean-Up Rule at the end of the rulebase. So I would write ... no rule matching for 192.168.10.1/http 10.10.10.1 192.168.10.1 http accept ... ... no rule matching for 192.168.10.1/http any any any drop long Hope it helps, best regards Matthias Clarrisa Wright wrote: > Hello, > > I am hoping someone could help me understand the logic of a negate > in a DROP rule. > > I have a similar rule which is as follows (IPs have been replaced): > > Source Dest. Service. Action. > 10.10.10.1 192.168.10.1 http Drop. > negated(X) > > >From my understanding, this means all addresses EXCEPT 10.10.10.1 > will be dropped. This part I understand. > > However, does this mean that 10.10.10.1 will be ACCEPTED for http? > i.e. - in a negate rule, are there two parts to the logic? The first > part says all addresses except the negated one will be dropped, and > the next part says the negated will be accepted? > > OR, will i need to put in another rule to allow 10.10.10.1 to go to > 192.168.10.1 for http? > > I am doing a negate to save having to put two rules in. What my > objective is drop all traffic for http to the 192.168.10.1 > (inside my LAN) from the Internet, EXCEPT I still want 10.10.10.1 > (an internet address) to be allowed. > > If anyone understands exactly how negate works in a drop rule, I > would truly appreciate an explanation. (i don't have any test > machines to try this out) > > Thanks! > :) > -Clarrisa > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ begin:vcard n:Leu;Dr. Matthias tel;cell:tel;fax:+49 8102 895 199 tel;home:+49 89 69759390 tel;work:+49 8102 895 190 x-mozilla-html:FALSE url:http://www.aerasec.de org:AERAsec Network Services and Security GmbH adr:;;Wagenberger Strasse 1;D-85662 Hohenbrunn;;;Germany version:2.1 email;internet:[email protected] fn:Dr. Matthias Leu end:vcard
|