[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ANY-ANY-ANY-ACCEPT? I think not...

To: "'cbrenton@sover.net'" <cbrenton@sover.net>, Steve Thompson <sthompso@broadway.co.uk>
Subject: RE: [FW1] ANY-ANY-ANY-ACCEPT? I think not...
From: "Salchow, Kenneth Jr." <Ken.Salchow@BestBuy.Com>
Date: Thu, 15 Apr 1999 08:55:24 -0500
Cc: fw-1-mailinglist@lists.us.checkpoint.com


Just a clarification, running invalid (private 10., 172., etc.) does not
necessitate NAT.  You should still be able to drop in a FW with the ANY ANY
ANY ACCEPT, and it should still route everything just fine - if you set up
the routes.  But yes, if NAT is in use, you are absolutely correct. (just
didn't want the self proclaimed novice to get the wrong message)

> -----Original Message-----
> From:	Chris Brenton [SMTP:cbrenton@sover.net]
> Sent:	Thursday, April 15, 1999 7:32 AM
> To:	Steve Thompson
> Cc:	fw-1-mailinglist@lists.us.checkpoint.com
> Subject:	Re: [FW1] ANY-ANY-ANY-ACCEPT? I think not...
> 
> 
> Steve Thompson wrote:
> > 
> > I have finally got my Firewall-1 machine working and have set up NAT. So
> > far, the only policy I have installed is ANY-ANY-ANY-ACCEPT. But it
> doesn't
> > - some services on my network are now no longer working. For example,
> none
> > of my Macintosh computers can set their internal clock using the NTS at
> > Apple.
> 
> Are you using hide NAT for your DNS server? IF so you need to use
> static.
> 
> > Also, user on my internal network cannot see the ICQ network.
> 
> Are your workstations using hide NAT? If so, ICQ expects all clients to
> have their own legal IP address.
> 
> > However, everyone can browse the web. So, it seems to me - a novice -
> that
> > ANY ANY ANY ACCEPT should be ANY ANY ANY DO_I_FEEL_LIKE_ROUTING_THIS?
> :-)
> 
> Hummm, will if you can reach sites via HTTP, this obviously can not be a
> routing problem.
> 
> If all your internal systems are using legal addresses and you simply
> drop in the firewall in place of a router, the ANY ANY ANY Accept will
> pass everything. If you are running private internal addresses, which
> services will work with NAT depends on their implementation.
> 
> Cheers,
> Chris
> -- 
> **************************************
> cbrenton@sover.net
> 
> * Multiprotocol Network Design & Troubleshooting
> http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] X-Mailer: USANET web-mailer (M3.0.0.45)
Next by Date: Re: [FW1] NAT vs. PAT??
Prev by thread: Re: [FW1] ANY-ANY-ANY-ACCEPT? I think not...
Next by thread: [FW1] Migrating from HP-UX 10.20 to Solaris 2.6
Index(es):
- Date
- Thread