Thanks Smaff, that was exactly what I was looking for. Owe you a beer :) Cheers Sascha
> -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Andrew Smaff Matthews > Sent: Tuesday, April 26, 2005 11:47 AM > To: [email protected] > Subject: Re: [FW-1] Does a stealth rule disable Client Authentication? > > On Tue, Apr 26, 2005 at 10:22:58AM +0200, Sascha Picchiantano wrote: > [snip] > > 1. - allow HTTO outbound, unauthenticated, source: web cache server > > 2. - allow HTTP outbound, client auth, source: any > > > > Note that I have about 200 rules and that the two mentioned > here are not > > numer 1 and 2, it's just to illustrate how they are > ordered. I want to > > place a stealth rule on top of the rule base - where it belongs. > > > > If I get you right I place a new rule before the stealth rule that > > allows HTTP, source local LAN, destination firewall. Would that be > > enough to allow the clients to authenticate? Is the > authentication done > > over HTTP or does it use some other protocol? Which one? > > > 2 Things: > You don't have to put your client auth rules before > your stealth > rule, but you *do* need a rule: > Allow users to connect to firewall on: > FW1_clntauth_telnet (tcp/259) > FW1_clntauth_http (tcp/900) > Before your stealth rule. > > Client auth rules also are processed oddly - That is, the > rulebase match > actually continues until it hits a rule which would deny/reject the > connection so you can actually do: > > [EMAIL PROTECTED] Internet HTTP ClientAuth > Webproxy Internet HTTP Allow > > Because although the first rule matches for the webproxy, the > search still > continues and it realises that it doesn't actually need to > authenticate the > proxy. > > So you can create a rulebase that looks like: > > firewall mgmt/Monitoring rules > Access to client auth services on firewall (tcp259/900) > "Stealth" Rule > Client Auth rules > General Outbound/Inbound rules > Usual block & logging set. > > Smaff > > > -- > You happen to be here, now. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
