[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Negating rules

To: Frank Tirado <ftirado@MAILBOX.ECON.AG.GOV>
Subject: Re: [FW1] Negating rules
From: sirving@ca.ibm.com
Date: Fri, 30 Apr 1999 13:46:34 -0400
Cc: fw-1-mailinglist@softwhisper.us.checkpoint.com


Hopefully  you didn't bet to much other than a coffee :->

server_X_group   server_x   any    drop        long
Will only drop those people not in server_group.   It will not
automatically give server_group access since there is no rule to say to do
that.   Remember the rule is triggered only if all the conditions are met.
If machine A is not in server_group is it dropped but if B is in
server_group then the source field does not match the rule so no action
will take place and the next rule will be checked.



Frank Tirado <ftirado@MAILBOX.ECON.AG.GOV> on 04/26/99 01:59:24 PM

Please respond to Frank Tirado <ftirado@MAILBOX.ECON.AG.GOV>

To:   fw-1-mailinglist@softwhisper.us.checkpoint.com
cc:    (bcc: Stuart Irving/Markham/IBM)
Subject:  [FW1] Negating rules






Gentlemen,
  I'm having a friendly debate with a firewall team member as regards
negating objects.  I contend that the rules below

server_group    server_x     any    accept    (blank)
any                   server_x     any    drop         long

(Rule 1 allows a group of servers to access server_but not track.)
(Rule 2 drops all others and logs the hits.)

could be expressed as follows

server_X_group   server_x   any    drop        long
(the "X" in server_group is there to indicate it is negated)

By summarizing the two rules, negating the source and changing "accept" to
"drop",  one rule should work just as well as the first two.  The servers
that need to get in  are implicitly allowed and not tracked; all the rest
are dropped and logged.

My co-worker contends that some other rule must be allowing the service in,
other than the rule where the source is negated.

Can anyone please cast some light on this matter?  The manual is not very
clear on this subject.

Thanks,
  Frank

!
!
!



===========================================================================
=====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
===========================================================================
=====






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] FW: traffic dump (Secure Remote behind Linux NAT)
Next by Date: [FW1] alert.sh
Prev by thread: Re: [FW1] Negating rules
Next by thread: [FW1] Securemote NT
Index(es):
- Date
- Thread