Yes Frank, that is exactly what he was trying to suggest. But that is not
correct. any any any accept still does impose traffic restrictions.
And as far as I am aware ICMP, UDP and TCP are the only IP protocols that
exist.
Thanks,
Paul
On Fri, 9 Feb 2001, Frank Knobbe wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, February 09, 2001 8:47 AM
> >
> > Correct me if I am wrong, but I think allowing ICMP is part
> > of the policy
> > properties.
> >
> > I apologize if I am wrong here, I don't have a FW-1 box infront of
> > me right now.
> >
> > The email that I replied to said that any any any accept was
> > = a router.
> >
> > This is FAR from the truth. (Although I wish it was the truth)
>
>
> I don't have that email anymore, but I think the poster was trying to
> say that Any-Any-Any does not impose any access control restrictions
> based on source and destination address, and service/protocol. So in
> essence, yeah would behave like a router if routing is allowed on the
> box and no address translation rules are in effect.
>
> Any as a service includes more than just ICMP. ICMP in the policy
> allows a subset of the ICMP protocol such as echo, reply, traceroute
> etc. But there are more IP protocols besides ICMP, TCP and UDP. If
> you were to allow inbound traffic to a PPTP server for example, you
> would have a rule that specifies src-dst-GRE, which would allow the
> GRE protocol (IP protocol 47) to pass through. IPSec is another IP
> protocol. As far as I know, using any will allow GRE, IPSEc and other
> IP protocols through. So the statement of TCP/UDP highports was
> incorrect (what about TCP/UDP low ports? ;) Any is more like any any
> day if anyone cares anymore anyway...
>
> Regards,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
>
> iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp
> A55x1WaflYWvV+7NVwtXQjiB
> =1IaS
> -----END PGP SIGNATURE-----
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
--
--Paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
