Sure...
Well, I'll start saying that I have just arrived to firewall-1 this week, and that I
came from ipchains with Linux ;)
For example, when I configured any firewall, I always defined some rules like these:
EXTERNAL_INTERFACE=eth2
BROADCAST_SRC=0.0.0.0
BROADCAST_DEST=255.255.255.255
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
Look that I can define rules for the output and input chains of each interface, I
think that this is very powerfull, I need know how to do this in firewall-1.
This four rules are applied only to the external interface; the two first for the
input chain and the two last for the output chain. In this way I was able to crontrol
the broadcast packets that arrive to the external interface, and I could specified
what to to with the incoming and the outgoing packets. I think this is a very good way
to control a very specific traffic at the diferents interfaces of a machine.
I think that in Firewall-1 this is posible too, but I don't know how...
Anybody can translate me this rules from ipchains to firewall-1? It will be great for
me because I would see how this firewall works.
Thanks a lot.
>>> Carl E. Mankinen <[EMAIL PROTECTED]> 24/08/00 14:47 >>>
Rules aren't specified on the basis of the Firewall interface.
As a matter of a fact, it's best to have all the IP address of the firewall
stealthed
so that any packet destined for the firewall itself is dropped.
So rules are based on source address, destination address and service type.
You couldn't specify a rule to allow ANY source going to ANY destination
only
on one interface. Usually you would be using different subnets on each
interface
so that proper routing could occur anyway...
----- Original Message -----
From: James Edwards <[EMAIL PROTECTED]>
To: 'Luis Angel Fernandez Escabias' <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, August 24, 2000 8:01 AM
Subject: RE: [FW1] Apply rule to an interface
>
> Unless I am seriously mistaken, each interface has a seperate IP address
> and, at least in my setup, is specified pretty much as a seperate machine.
> What you want to do should be very simple. Just set each interface/IP
> address as a unique workstation and then you can use that to specify your
> rules.
>
> Jim Edwards
> Systems Manager
> Texas Secretary of State
>
>
> -----Original Message-----
> From: Luis Angel Fernandez Escabias [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 24, 2000 2:40 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Apply rule to an interface
>
>
>
> Hi...
>
> I want to define some rules to only the external interface of my firewall,
> can I do it with the GUI client?
>
> For example, with ipchains, I can define a rule to a single interface:
>
> ipchains -A output -i eth1 -s $CLASS_A -j DENY -l
>
> That rule is only applied to the output chain of the eth1 interface. I
want
> make this with firewall-1, but I dont see how in the GUI client. Can
anybody
> help me?
> Thanks a lot.
>
>
>
>
============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
