Gentlemen,
I'm having a friendly debate with a firewall team member as regards negating objects. I contend that the rules below
server_group server_x any accept (blank)
any server_x any drop long
(Rule 1 allows a group of servers to access server_but not track.)
(Rule 2 drops all others and logs the hits.)
could be expressed as follows
server_X_group server_x any drop long
(the "X" in server_group is there to indicate it is negated)
By summarizing the two rules, negating the source and changing "accept" to "drop", one rule should work just as well as the first two. The servers that need to get in are implicitly allowed and not tracked; all the rest are dropped and logged.
My co-worker contends that some other rule must be allowing the service in, other than the rule where the source is negated.
Can anyone please cast some light on this matter? The manual is not very clear on this subject.
Thanks,
Frank
!
!
!
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================