On Tue, Apr 26, 2005 at 10:22:58AM +0200, Sascha Picchiantano wrote: [snip] > 1. - allow HTTO outbound, unauthenticated, source: web cache server > 2. - allow HTTP outbound, client auth, source: any > > Note that I have about 200 rules and that the two mentioned here are not > numer 1 and 2, it's just to illustrate how they are ordered. I want to > place a stealth rule on top of the rule base - where it belongs. > > If I get you right I place a new rule before the stealth rule that > allows HTTP, source local LAN, destination firewall. Would that be > enough to allow the clients to authenticate? Is the authentication done > over HTTP or does it use some other protocol? Which one? > 2 Things: You don't have to put your client auth rules before your stealth rule, but you *do* need a rule: Allow users to connect to firewall on: FW1_clntauth_telnet (tcp/259) FW1_clntauth_http (tcp/900) Before your stealth rule.
Client auth rules also are processed oddly - That is, the rulebase match actually continues until it hits a rule which would deny/reject the connection so you can actually do: [EMAIL PROTECTED] Internet HTTP ClientAuth Webproxy Internet HTTP Allow Because although the first rule matches for the webproxy, the search still continues and it realises that it doesn't actually need to authenticate the proxy. So you can create a rulebase that looks like: firewall mgmt/Monitoring rules Access to client auth services on firewall (tcp259/900) "Stealth" Rule Client Auth rules General Outbound/Inbound rules Usual block & logging set. Smaff -- You happen to be here, now. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================