Gordon,
<..snip
If I add a line like - "any DMZ www accept fw-cluster"
- I
immediately make all specific rules for www access redundant !
So I need some way of identifying the Internet users with a global
network
object ?
..snip>
The normal anti-spoofing rules on your internet connected interfaces should
be good enough.
<..snip
I could do this if I knew how to code a "negative" rule (ie "if the
source
address is not from my internal network, then it must be the
Internet") but
I can find no way of doing this in the Policy Editor.
..snip>
If you set the internal networks you want to deny in the rule just set that
network as the SOURCE of the rule, then right-click on that entry and
choose NEGATE. this means every source except the internal network
is allowed to http into your DMZ.
Regards,
Brenno
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
