OK I see now. I may stand corrected here but...I thought the match for any was only applicable whenever you had 2 services defined with the same port and the service checked match for any would be used for the "any" service rule. Otherwise if only 1 service is defined then the option for match for any has no effect. I think the option to negate is suitable.
-GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Stala Sent: Monday, March 07, 2005 6:08 PM To: [email protected] Subject: Re: [FW-1] ICMP going through the any service no these are all R55 HFA-8 ICMP works fine but it is being passed under a rule that has service set to ANY. I am trying to limit what can be reached by ICMP. I guess I could just negate ICMP. ----- Original Message ----- From: "Gary Scott" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, March 07, 2005 5:13 PM Subject: Re: [FW-1] ICMP going through the any service Are you referring to how NG does stateful ICMP inspection, as opposed to 4.1 where you had to add the return rules for ICMP to work? -GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Hill, Lindsay, VF-NZ Sent: Monday, March 07, 2005 3:04 PM To: [email protected] Subject: Re: [FW-1] ICMP going through the any service Global properties just affects the implied rules - if you have it turned on, ICMP is allowed through via an implied rule. Turn on implied rules to see it. Effectively it's just another rule - it doesn't impact any rules that you might add yourself. Icmp requests match for any, so of course it's going to be allowed through. - LH -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Stala Sent: Tuesday, 8 March 2005 7:32 a.m. To: [email protected] Subject: [FW-1] ICMP going through the any service I have a couple of firewalls that allow a icmp request through under the any service. like my-net to this ip any-service accpet I am getting ICMP through this rule. Under global properties I have ICMP un-checked. I am running R55 hfa-8. hsa anyone ran accross this before? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ------------------------------------------------------------------------ ----------------------- Have you seen our website?.... http://www.vodafone.co.nz Manage Your Account, check your Vodafone Mail and send web2TXT online: http://www.vodafone.co.nz/myvodafone CAUTION: This correspondence is confidential and intended for the named recipient(s) only. If you are not the named recipient and receive this correspondence in error, you must not copy, distribute or take any action in reliance on it and you should delete it from your system and notify the sender immediately. Thank you. Unless otherwise stated, any views or opinions expressed are solely those of the author and do not represent those of Vodafone New Zealand Limited. Vodafone New Zealand Limited 21 Pitt Street, Private Bag 92161, Auckland, 1020, New Zealand Telephone + 64 9 357 5100 Facsimile + 64 9 377 0962 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
