I have a firewall set up with three interfaces. Internalnets is the internal network and the third interface is for a DMZ for a web server and mail relay. Internalnets is a network object that defines the internal network. mailhost is a host object with an address in the DMZ. httphost is a host object with an address in the DMZ. The documentation suggests creating rules like: internalnets Any Any (allow outbound traffic from internal nets) Any mailhost smtp (allow inbound traffic to DMZ mail host) Any httphost http (allow inbound traffic to DMZ server) This might allow traffic inbound to mailhost and httphost, but what allows traffic out fromt these hosts (ie. such as for DNS requests to DNS servers)? If I create a rule that says: mailhost ANY DNS This would allow mailhost to send DNS requests ANYWHERE (ie. even to the internali network which may not be what I want). So I would really need a rule like: mailhost !internalnets DNS Is this really the best way to do this? Is there another way to allow outbound traffic from these DMZ hosts and minimise opening up other holes? Any help/pointers that people can provide would be greatly appreciated. Thanks, Dana Pratt [EMAIL PROTECTED] ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
