Sigh, the "Security Policy" properties page is (largely) a farce. It will not matter if you can "see them". The fundamental problem is that they are "global" rules for services and that cannot be changed - i.e. allowing (for example) "Domain Name Download (TCP)" is like a rule which reads "Any Any domain-tcp accept - Gateways Any". The only reasonable thing you can do is disable the following: Accept Firewall-1 Control Connections Accept UDP replies Accept RIP Accept Domain Name Queries (UDP) Accept Domain Name Download (TCP) Accept ICMP I haven't made the time to determine the effect of toggling "Accept Outgoing Packets" or whether that can be moderated by toggling the "Apply Gateway Rules to Interface Direction" to "Eitherbound". Why it doesn't properly configure itself for "Accept Firewall-1 Control Connections" is bewildering given the file with a list of master/clients. A case of "almost" but not quite - something you'd hope not to find in the maker of the world's most popular and perhaps with the world's worst default configured firewall. The only difference doing the above makes is that you need to add a few rules to properly add in FW-1 control, appropriate rules for DNS and setup bi-directional rules for UDP services. I've not looked at how the "Router Access Lists" page of checkboxes impacts on rules generated for (I presume) Ciscos, which is another potential source of trouble. Darren p.s. I'd suggest that anyone who has knowingly installed FW-1 for a client with services such as DNS enabled give their respective clients a free security upgrade of their firewall so that they can fix their own mistake.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:27 PDT