Much to my dismay, it seems that freaknetboy and Neil are right. I had really hoped that negating something in a rule would generate an implied rule to handle whatever was negated. Instead, when when something is negated, you usually need to set up an extra rule to handle whatever you negated before. If there is no subsequent rule to handle whatever is negated in a rule, the negated item(s) will be kicked out by the cleanup rule.
I got this info straight from a Checkpoint programmer, though only after first getting contradictory information from their service desk.
My thanks to all who responded to my email.
Frank
>>> Chris F <freaknetboy@yahoo.com> 04/26 2:59 PM >>>
I believe your friend is right because of the pseudo (hidden
rules...aka Rule 0) Rule 0 has a rule
any any drop
Thus, without another rule for "accept", all will be dropped by Rule 0.
-- Chris
--- Frank Tirado <ftirado@MAILBOX.ECON.AG.GOV> wrote:
>
> Gentlemen,
> I'm having a friendly debate with a firewall team
> member as regards negating objects. I contend that
> the rules below
>
> server_group server_x any accept
> (blank)
> any server_x any drop
> long
>
> (Rule 1 allows a group of servers to access
> server_but not track.)
> (Rule 2 drops all others and logs the hits.)
>
> could be expressed as follows
>
> server_X_group server_x any drop long
> (the "X" in server_group is there to indicate it is
> negated)
>
> By summarizing the two rules, negating the source
> and changing "accept" to "drop", one rule should
> work just as well as the first two. The servers
> that need to get in are implicitly allowed and not
> tracked; all the rest are dropped and logged.
>
> My co-worker contends that some other rule must be
> allowing the service in, other than the rule where
> the source is negated.
>
> Can anyone please cast some light on this matter?
> The manual is not very clear on this subject.
>
> Thanks,
> Frank
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> !
> !
>
>
>
>
>
>
>
>
>
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
!
!
!
!
!
!
!
!
!
!
!
!
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================