Watchguard intro

Achim Dreyer Fri, 23 Nov 2001 01:54:26 -0800

Hallo,

I have a customer who wants to change from Checkpoint FW-1 to a
Watchguard Firebox based firewall. As the logic behind this firewall
(rules based on services and an incoming/outgoing definition on device
level) is complete different from the rule base definitions of FW-1
(and almost all firewall implementations I'm used to) I need something
like an introduction to it.


 - Are there any howto's describing how to convert fw-1 rule bases to
   watchguard ?
 - Are there any "good" examples ?
 - Any special mailing lists / newsgroups ?

-----------------
Example:

   Official DNS server, placed in DMZ on optional interface, static NAT
   (Internal name NS, external name NS-pub)

 ----------------
 FW-1 Rulebase:

 Security Policy
   Intern-Net -> NS             (TCP/UDP) Port 53               allow
   NS-pub -> Extern             (TCP/UDP) Port 53               allow
   Extern-> NS-pub              (TCP/UDP) Port 53               allow
   Intern-Host -> Extern        (TCP/UDP) Port 53               allow
   Intern-Net -> Extern         (TCP/UDP) Port 53               deny
   NS-pub -> Extern             ICMP                            allow
   Extern-> NS-pub              ICMP                            allow

 Address Translation
   NS -> Extern                 static: NS-pub -> Extern
   Extern -> NS-pub             static: Extern -> NS
 -----------------
 Watchguard Rulebase:

 (1) Service:           DNS (tcp/udp port 53)
  Incoming              Enabled and allowed
           From         any
           To           NS-pub -> NS
  Outgoing              Enabled and allowed
           From         NS, NS-pub
           To           any
                        Enable NAT

 (2) Service:           DNS (tcp/udp port 53)
  Incoming              Enabled and denied
           From         any
           To           any
  Outgoing              Enabled and allowed
           From         Intern-Net
           To           NS, NS-pub
                        Disable NAT

 (3) Service:           DNS (tcp/udp port 53)
  Incoming              Enabled and denied
           From         any
           To           any
  Outgoing              Enabled and allowed
           From         Intern-Host
           To           any
                        Simple NAT

 (4) Service:           Ping
  Incoming              Enabled and allowed
           From         any
           To           NS-pub
  Outgoing              Enabled and allowed
           From         NS-pub, NS
           To           any
                        Enable NAT

 (5) Service:           Ping
  Incoming              Enabled and denied
           From         any
           To           any
  Outgoing              Enabled and allowed
           From         Intern-Net
           To           NS
                        Disable NAT

 (6) Service:           Ping
  Incoming              Enabled and denied
           From         any
           To           any
  Outgoing              Enabled and allowed
           From         Intern-Net
           To           any
                        Simple NAT
 ------------------

-> this is a non-working example as watchguard incoming rules 5 and 6
collide with rule 4.


Regards,
Achim Dreyer

-----------------------------------------------------------------------
A. Dreyer, UNIX System Administrator and Internet Security Consultant


_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Watchguard intro

Reply via email to