Actually, we ran several tests.
In one test, we negated the source and made it accept and log what would have otherwise been unauthorized hits. In this case, a workstation outside the firewall could connect to server_x, but the internal servers could not.
The ambiguity arrises from what I believe to be a "best fit" process that FW-1 goes thru.
server_X_group server_x any drop long
any server_x any accept long
In the first of the above rules, the negated group is allowed through and not logged, the unauthorized hits are logged. Lo and behold, the negated servers are logged through the second rule,
because of the "best fit" process FW-1 seems to go through.
>>> "Simon, Russell" <RSimon@enpointe.com> 04/26 2:10 PM >>>
When you check the logs what rule is letting the server in.
> -----Original Message-----
> From: Frank Tirado [SMTP:ftirado@MAILBOX.ECON.AG.GOV]
> Sent: Monday, April 26, 1999 1:59 PM
> To: fw-1-mailinglist@softwhisper.us.checkpoint.com
> Subject: [FW1] Negating rules
>
>
> Gentlemen,
> I'm having a friendly debate with a firewall team member as regards
> negating objects. I contend that the rules below
>
> server_group server_x any accept (blank)
> any server_x any drop long
>
> (Rule 1 allows a group of servers to access server_but not track.)
> (Rule 2 drops all others and logs the hits.)
>
> could be expressed as follows
>
> server_X_group server_x any drop long
> (the "X" in server_group is there to indicate it is negated)
>
> By summarizing the two rules, negating the source and changing "accept" to
> "drop", one rule should work just as well as the first two. The servers
> that need to get in are implicitly allowed and not tracked; all the rest
> are dropped and logged.
>
> My co-worker contends that some other rule must be allowing the service
> in, other than the rule where the source is negated.
>
> Can anyone please cast some light on this matter? The manual is not very
> clear on this subject.
>
> Thanks,
> Frank
>
>
> !
> !
>
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
!
!
!
!
!
!
!
!
!
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================