On Tue, 18 January 2000, "Cannella, Michael (ISS Southfield)" wrote: > >A question for the list while I am on the subject of FW-1. Does anybody > know why the > >'Allow outbound connections' property has to be set on FW-1/NT for the fw > to pass any > >traffic? In my experience this property has the advertised effect on the > Solaris > >platform but will stop all traffic dead in the water if not enabled on the > NT platform. > > I have seen the same behavior difference between Solaris and NT, but only > with http. With telnet, for example, both seem to behave the same way. And > I have no explanation for why that occurs, although, for once, it's NT that > exhibits the safer behavior. If the HTTP Security Server is involved (i.e. if there's a HTTP resource or User Authentication), I can imagine the behaviour being slightly different. > This problem is quite apropos your comment about the (ahem) "limitations" of > the Checkpoint docs, which are somewhat misleading: > > - the policy property help expressly indicates that the "allow outgoing" > checkbox does not apply to traffic from the internal network. > > - the help for "outgoing connections" says--a bit more accurately--that > traffic will only be allowed out from the firewall if either > > * "allow outgoing" is checked > or > * interface direction is set to "eitherbound," and there is a rule that > allows the > traffic out. You can also get in trouble if you have some rules installed on gateways, some some rules installed on specific target (FireWall-1 treats these rules as eitherbound), and interface direction is set to "inbound." -- Dameon D. Welch, a.k.a. PhoneBoy (dwelchat_private) Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/ The views expressed herein are not necessarily those of anyone else. -- Signup for your free USWEST.mail Email account http://www.uswestmail.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:20 PDT