Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Meaning of Negate on a drop rule?

To: Clarrisa Wright <[email protected]>
Subject: Re: [FW1] Meaning of Negate on a drop rule?
From: Matthias Leu <[email protected]>
Date: Sun, 02 Sep 2001 08:01:43 +0200
Cc: [email protected]
Organization: AERAsec Network Services and Security GmbH
References: <[email protected]>
Sender: [email protected]

Hi,
Your rule doesn't math for packets originating from 10.10.10.1 - and so http will
not be dropped - but also not accepted by this rule.
The matching is decided by FW-1 in the first three columns, Source, Dest, and
Service.
So if this rule doesn't match, you will need another rule matching for 10.10.10.1
and accepting http.
If you don't want to have http accepted to 192.168.10.1 - why forbidding it in an
explicite rule? Http to this machine will be dropped by the Clean-Up Rule at the end
of the rulebase. So I would write

... no rule matching for 192.168.10.1/http
10.10.10.1   192.168.10.1   http     accept ...
... no rule matching for 192.168.10.1/http
any   any   any    drop   long

Hope it helps,
best regards
Matthias


Clarrisa Wright wrote:

> Hello,
>
> I am hoping someone could help me understand the logic of a negate
> in a DROP rule.
>
> I have a similar rule which is as follows (IPs have been replaced):
>
> Source            Dest.           Service.        Action.
> 10.10.10.1        192.168.10.1    http            Drop.
> negated(X)
>
> >From my understanding, this means all addresses EXCEPT 10.10.10.1
> will be dropped.    This part I understand.
>
> However, does this mean that 10.10.10.1 will be ACCEPTED for http?
> i.e. - in a negate rule, are there two parts to the logic? The first
> part says all addresses except the negated one will be dropped, and
> the next part says the negated will be accepted?
>
> OR, will i need to put in another rule to allow 10.10.10.1 to go to
> 192.168.10.1 for http?
>
> I am doing a negate to save having to put two rules in. What my
> objective is drop all traffic for http to the 192.168.10.1
> (inside my LAN) from the Internet, EXCEPT I still want 10.10.10.1
> (an internet address) to be allowed.
>
> If anyone understands exactly how negate works in a drop rule, I
> would truly appreciate an explanation.  (i don't have any test
> machines to try this out)
>
> Thanks!
> :)
> -Clarrisa
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

begin:vcard 
n:Leu;Dr. Matthias
tel;cell:tel;fax:+49 8102 895 199
tel;home:+49 89 69759390
tel;work:+49 8102 895 190
x-mozilla-html:FALSE
url:http://www.aerasec.de
org:AERAsec Network Services and Security GmbH
adr:;;Wagenberger Strasse 1;D-85662 Hohenbrunn;;;Germany
version:2.1
email;internet:[email protected]
fn:Dr. Matthias Leu
end:vcard

References:
- [FW1] Meaning of Negate on a drop rule?
  - From: "Clarrisa Wright" <[email protected]>

Prev by Date: Re: [FW1] Meaning of Negate on a drop rule?
Next by Date: RE: [FW1] Address Range as part of Security Police?
Previous by thread: [FW1] Meaning of Negate on a drop rule?
Next by thread: [FW1] Meaning of Negate on a drop rule?
Index(es):
- Date
- Thread