[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Internet Web servers VS. Intranet Web servers

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Internet Web servers VS. Intranet Web servers
From: James_E_Clukey@rsh.net
Date: Tue, 27 Apr 1999 16:19:07 -0500


I hope that someone in this group can help me. I apologize for the length of
this posting but...

We have Checkpoints FW-1 SP8 (Patch level 3083?) installed on an Ultra-2 running
Solaris 2.6.

In our rulebase we allow all http traffic through our firewall as follows:

No.       Source                   Destination               Service
Action         Track

1         All-Users@Any            Any                  Any
Client-Auth    Long
2         Internal-Addr            Internal-Addr(negated)         http
     accept         Long
3         Internal-Addr            Internal-Addr(negated)         Any
Accept         Long
4         Internal-Addr(negated)         Internal-Addr
Standard-Inbound    Accept         Long
5         Any                 FW-1 machine              Any            Drop
Long (Stealth rule)


NOTE: Internal-Addr is a group that we defined as being our class-B address
space with a netmask of 255.255.0.0.

NOTEII: We have defined the Standard-Inbound services as including http, email
stuff (e.g. pop-x, smtp, imap, etc)

The above ruleset will allow all web traffic through our firewall. I have
currently been asked to allow http traffic through our firewall ONLY to our
Internet servers and block all http traffic destined for our Intranet servers.

I have therefore added the following two rules ABOVE rule #1 as stated in the
example above.

1         Internal-Addr            Intranet-Srvrs            http
Accept         Long
2         Secure@Any               Intranet-Srvrs            http
Client-Auth    Long

NOTEIII: Intranet-Srvrs is defined as a Network object group of which I have
added the Intranet Servers to (of which I previously defined as Network
Objects).

NOTEIV: Secure@Any is defined as a user group of which I have added the generic*
user to.

When I am connecting to an outside ISP I can still go directly to our Intranet
Web server and the log indicates that the traffic was accepted via Rule #4 as
stated at the top.

Does anyone have any idea as to why it is not working? I could really use some
help. And again I apologize for the length of this posting.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Help! Lots of RST entries!
Next by Date: [FW1] ADMIN: list downtime
Prev by thread: [FW1] Help! Lots of RST entries!
Next by thread: [FW1] ADMIN: list downtime
Index(es):
- Date
- Thread