-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hmmm... I just read again in the FW-1 manual following on Accept
Outgoing Packets:
Accept Outgoing Packets - Accept all outgoing packets (from the
Firewall, not from the internal network).
On gateways, rules are usually enforced in the inbound direction
only. When a packet passing through the gateway leaves the gateway,
it will be allowed to pass only if one of the following conditions is
true:
* The Accept Outgoing Packets property is checked.
* Rules are enforced both directions (eitherbound), and there is a
rule which allowed the packet to leave the gateway.
Then it references the drawing and addtl information in the
Architecture manual, which basically states what you have written.
Given that, am I the only one feeling uncomfortable with Inbound only
since packets originating from the firewall to the outside would go
unchecked? Assuming that usually (!) nothing is running on the
firewall and no user is working on it, there are still packets that
the FW itself creates and sends out, as in authentication and VPN
traffic. Wouldn't it be possible for exploits to go unnoticed if no
rules has been set to monitor/filter outgoing data? In order to
enforce those rules, Eitherbound would need to be selected.
Am I just too paranoid, or does anyone else think it might be a good
idea to keep an eye on traffic leaving the firewall, and hence use
Eitherbound?
Regards,
Frank
> -----Original Message-----
> From: Carric Dooley [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 14, 2000 12:46 PM
> To: Frank Knobbe; 'Padden, Greg';
> [EMAIL PROTECTED]
> Subject: Re: [FW1] Inbound, outbound, or eitherbound?
>
>
> My understanding of eitherbound is on which interface the
> policy is applied
> to the traffic.... example:
>
> If you have IF_A as your internal interface, and IF_B as
> your external, if
> you set your policy for "Inbound", packets coming from the
> public network
> would be filtered at IF_B (the inbound interface for that
> direction). An
> outbound policy would evaluate the traffic from the outside
> at IF_A as the
> traffic leaves the firewall. "Eitherbound" means the packets
> have to pass
> through the policy at BOTH interfaces doubling the amount of
> work for the
> firewall (at least from policy perspective) for each packet.
> This is the
> most secure, but if you are pushing a lot of traffic, not
> ideal. I would
> typically set that property for "inbound" myself. If you set it
> for "outbound" a DoS (from the outside) would affect the firewall
> itself because the traffic is not analyzed until it hits the
> internal interface (IF_A). Eitherbound is overkill in a lot of
> situations, but inbound means if someone attacks the firewall, it
> has to make it through the policy, and the same would apply for
> traffic from the internal network out (evaluated before it passes
> through the firewall).
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOZrqzkRKym0LjhFcEQIakACg2WyHMepBcqrB4Nz5+m0tXSrli1UAoMap
H4SH0xOKQTKmXy3b/5uNcx/Q
=WHGk
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
