[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] ANY-ANY-ANY-ACCEPT? I think not...
Just a clarification, running invalid (private 10., 172., etc.) does not
necessitate NAT. You should still be able to drop in a FW with the ANY ANY
ANY ACCEPT, and it should still route everything just fine - if you set up
the routes. But yes, if NAT is in use, you are absolutely correct. (just
didn't want the self proclaimed novice to get the wrong message)
> -----Original Message-----
> From: Chris Brenton [SMTP:email@example.com]
> Sent: Thursday, April 15, 1999 7:32 AM
> To: Steve Thompson
> Cc: firstname.lastname@example.org
> Subject: Re: [FW1] ANY-ANY-ANY-ACCEPT? I think not...
> Steve Thompson wrote:
> > I have finally got my Firewall-1 machine working and have set up NAT. So
> > far, the only policy I have installed is ANY-ANY-ANY-ACCEPT. But it
> > - some services on my network are now no longer working. For example,
> > of my Macintosh computers can set their internal clock using the NTS at
> > Apple.
> Are you using hide NAT for your DNS server? IF so you need to use
> > Also, user on my internal network cannot see the ICQ network.
> Are your workstations using hide NAT? If so, ICQ expects all clients to
> have their own legal IP address.
> > However, everyone can browse the web. So, it seems to me - a novice -
> > ANY ANY ANY ACCEPT should be ANY ANY ANY DO_I_FEEL_LIKE_ROUTING_THIS?
> Hummm, will if you can reach sites via HTTP, this obviously can not be a
> routing problem.
> If all your internal systems are using legal addresses and you simply
> drop in the firewall in place of a router, the ANY ANY ANY Accept will
> pass everything. If you are running private internal addresses, which
> services will work with NAT depends on their implementation.
> * Multiprotocol Network Design & Troubleshooting
> * Mastering Network Security
> To unsubscribe from this mailing list, please see the instructions at
To unsubscribe from this mailing list, please see the instructions at