Tom's Hardware > Forum > General Networking > Firewall > Problem with Netscreen 100

Problem with Netscreen 100

Forum General Networking : Firewall - Problem with Netscreen 100

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   04-17-2004 at 05:45:13 AM

Archived from groups: comp.security.firewalls (More info?)

 

Hi,

i am running a netscreen 100 with 4.03 OS and i am seeing very wierd
stuff.
I created a bunch of trusted and untrusted hosts and then policys.
Some policys work and some dont. Also to mention i have setup some
group's where i have bound all smtp server as one group. For some
reason not all policy's work and it seems to matter in some cases
where the policy is located as far as order goes which i dont
understand why. If by default everything is blocked and i
have a policy that allos smtp for example and then 5 other policys
unrelated why can this effect another policy which allows anothe host
to use smtp..

hope anyone can point me in the right direction..

thanks

Alex

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   04-17-2004 at 03:34:55 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

Hi,

NOC Guy <alexp@iccinternet.com> wrote:
> group's where i have bound all smtp server as one group. For some
> reason not all policy's work and it seems to matter in some cases
> where the policy is located as far as order goes which i dont
> understand why.

Because netscreens (as a lot of other filters too) work this way.
All rules are applied from top to bottom. If a rules matches for a given paket,
processing stops.

So if you have something like:

- deny all mailservers
- allow the ISP-Mailserver

you will never reach the ISP-Mailserver.

Greetings,
Jens

Reply to Anonymous
Anonymous   04-17-2004 at 04:43:44 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

I understand if i deny something that that will impact the process but
in my case ist like

allow a to z
allow b to z
allow e to b
allow e to d
allow c to z

in this case c to z wont work until i move it up into the xx to z
group.
this does not make sence to me...

also what is the best way to log any traffic which is denied by the
firewall ?
i asume it would be a deny any any as the last policy

Alex






>
> - deny all mailservers
> - allow the ISP-Mailserver
>
> you will never reach the ISP-Mailserver.
>
> Greetings,
> Jens

Reply to Anonymous
Anonymous   04-18-2004 at 02:19:19 AM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

Hi,

NOC Guy <alexp@iccinternet.com> wrote:
> in this case c to z wont work until i move it up into the xx to z
> group.
> this does not make sence to me...

Yes. That does not make any sense.

I could understand that netscreen is able to do better optimisation
when the "similar" rules are grouped.

Have you checked the knowledgebase for such problems?

> i asume it would be a deny any any as the last policy

And enable logging. And don't forget to tell the netscreen to
log traffic to herself.

Greetings,
Jens

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Firewall > Problem with Netscreen 100
Go to:

There are 495 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.377 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?