[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Meaning of Negate on a drop rule?
Well Said .... Leu . Infact the sayin goes like ..........." That which is not explicitly defined ( accepted / rejected ) is implicitly denied " Rgds... Shivanath.S S.Shivanath Engineer - Networking CCNA / CCSA WAN/SECURITY GROUP Network and System Integration Group Satyam Computer Services Ltd www.satyam.com Chennai . e-mail : [email protected] Tel : 91 44 4353221 extn: 3138/3144 > ---------- > From: Matthias Leu[SMTP:[email protected]] > Sent: Sunday, September 02, 2001 11:31 AM > To: Clarrisa Wright > Cc: [email protected] > Subject: Re: [FW1] Meaning of Negate on a drop rule? > > <<File: mleu.vcf>> > Hi, > Your rule doesn't math for packets originating from 10.10.10.1 - and so > http will > not be dropped - but also not accepted by this rule. > The matching is decided by FW-1 in the first three columns, Source, Dest, > and > Service. > So if this rule doesn't match, you will need another rule matching for > 10.10.10.1 > and accepting http. > If you don't want to have http accepted to 192.168.10.1 - why forbidding > it in an > explicite rule? Http to this machine will be dropped by the Clean-Up Rule > at the end > of the rulebase. So I would write > > ... no rule matching for 192.168.10.1/http > 10.10.10.1 192.168.10.1 http accept ... > ... no rule matching for 192.168.10.1/http > any any any drop long > > Hope it helps, > best regards > Matthias > > > Clarrisa Wright wrote: > > > Hello, > > > > I am hoping someone could help me understand the logic of a negate > > in a DROP rule. > > > > I have a similar rule which is as follows (IPs have been replaced): > > > > Source Dest. Service. Action. > > 10.10.10.1 192.168.10.1 http Drop. > > negated(X) > > > > >From my understanding, this means all addresses EXCEPT 10.10.10.1 > > will be dropped. This part I understand. > > > > However, does this mean that 10.10.10.1 will be ACCEPTED for http? > > i.e. - in a negate rule, are there two parts to the logic? The first > > part says all addresses except the negated one will be dropped, and > > the next part says the negated will be accepted? > > > > OR, will i need to put in another rule to allow 10.10.10.1 to go to > > 192.168.10.1 for http? > > > > I am doing a negate to save having to put two rules in. What my > > objective is drop all traffic for http to the 192.168.10.1 > > (inside my LAN) from the Internet, EXCEPT I still want 10.10.10.1 > > (an internet address) to be allowed. > > > > If anyone understands exactly how negate works in a drop rule, I > > would truly appreciate an explanation. (i don't have any test > > machines to try this out) > > > > Thanks! > > :) > > -Clarrisa > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > > > ========================================================================== > ====== > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > ====== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|