Re: [FW1] Negating rules

[Neil Ratzlaff <Neil.Ratzlaff@ucop.edu>]

I think you still need a rule that allows access to server_x.  What you have
says drop any source not in the server_group - this won't allow the access you
want unless you have a later rule that says allow connections to server_x.

Neil


At 13:59 04/26/99 -0400, Frank Tirado wrote:
>
>Gentlemen,
>  I'm having a friendly debate with a firewall team member as regards
negating
objects.  I contend that the rules below
>
>server_group    server_x     any    accept    (blank)                   
>any                   server_x     any    drop         long
>
>(Rule 1 allows a group of servers to access server_but not track.)
>(Rule 2 drops all others and logs the hits.)
>
>could be expressed as follows
>
>server_X_group   server_x   any    drop        long
>(the "X" in server_group is there to indicate it is negated)
>
>By summarizing the two rules, negating the source and changing "accept" to
"drop",  one rule should work just as well as the first two.  The servers that
need to get in  are implicitly allowed and not tracked; all the rest are
dropped and logged.
>
>My co-worker contends that some other rule must be allowing the service in,
other than the rule where the source is negated.
>
>Can anyone please cast some light on this matter?  The manual is not very
clear on this subject.
>
>Thanks,
>  Frank 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================