I have several Fireboxes running and have had mixed results. After getting
accustomed to FW1, the Watchguard interface is somewhat
counter-intuitive...
You cannot open an ANY to ANY default rule in a simple manner. I have
tried this several ways and have been through it with Tech Support. The
only way to do it is to specify the subnets that are allowed on each
interface and then include those subnets in the Any rule. For example, if
you have 10.0.0.0/8, 192.168.0.0/16, and 172.31.0.0/16 on the Trusted
interface and EVERYTHING ELSE (0.0.0.0/0) on the External interface, then
your Any rule must enumerate those subnets. The problem is that you cannot
add 0.0.0.0/0 to a rule. All IPs (in Watchguard) must start with something
greater than 0. Therefore, you must add all /8 subnets to the other side
of the Any rule. That sounds like fun!
(If you are using private IP addresses on both sides of the Firebox
remember to remove those addresses from the Blocked Sites list as
Watchguard blocks these subnets by default. I use my boxes as internal,
inter-departmental firewalls.)
This is particularly frustrating in that the External interface ont he
Watchguard will automatically capture all packets with a destination not
specifically routed to the Trusted or Optional interface. Why can't we
take advantage of this in an Any rule?
If anyone comes up with a way to handle RPC services in a specific manner
on Watchguard, please let me know!
--------------------------------------------
Andrew Walls, IT Security Analyst, BankWest
40 Frame Ct., Leederville, WA, 6007, Australia
61-8-9449-3787, FAX 61-8-9449-3795 Mobile 0419926368
PGP Fingerprint: E0F7 296E D6D5 6057 1E1D F61B 2602 CB8A
---------------------------------------- Message History
----------------------------------------
From: Ben Ostrowsky <[EMAIL PROTECTED]> on 16/02/2000 22:08
To: [EMAIL PROTECTED]
cc: (bcc: Andrew Walls/PRS/SS/BankWest)
Subject: Re: Watchguard Firebox II
> I've just purchased a Watchguard Firebox II and i would love to hear what
my
> fellow colleauges thinks of it and also hear about solutions and stuff
like
> that.
We've got one and are trying to figure out how to set it up in a permissive
stance (allow all; deny this, this, and this). The manual claims you can
do this, but the GUI configurator won't let you open up the "Any" service
from Any to Any.
Tech support said they'd have to call us back, which was fairly annoying.
It does *look* cool, though...
Ben
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
_______________________________________________________________________________
Unencrypted electronic mail is not secure and may not be authentic.
If you have any doubts as to the contents please telephone to confirm.
This electronic transmission is intended only for those to whom it is
addressed. It may contain information that is confidential, privileged
or exempt from disclosure by law. Any claim to privilege is not waived
or lost by reason of mistaken transmission of this information.
If you are not the intended recipient you must not distribute or copy this
transmission and should please notify the sender. Your costs for doing
this will be reimbursed by the sender.
_______________________________________________________________________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
