Re: [FW-1] Does a stealth rule disable Client Authentication?

Tue, 26 Apr 2005 04:22:00 -0700 

On Tue, Apr 26, 2005 at 10:22:58AM +0200, Sascha Picchiantano wrote:
[snip]
> 1. - allow HTTO outbound, unauthenticated, source: web cache server
> 2. - allow HTTP outbound, client auth, source: any
>
> Note that I have about 200 rules and that the two mentioned here are not
> numer 1 and 2, it's just to illustrate how they are ordered. I want to
> place a stealth rule on top of the rule base - where it belongs.
>
> If I get you right I place a new rule before the stealth rule that
> allows HTTP, source local LAN, destination firewall. Would that be
> enough to allow the clients to authenticate? Is the authentication done
> over HTTP or does it use some other protocol? Which one?
>
2 Things:
        You don't have to put your client auth rules before your stealth
        rule, but you *do* need a rule:
                Allow users to connect to firewall on:
                FW1_clntauth_telnet     (tcp/259)
                FW1_clntauth_http       (tcp/900)
        Before your stealth rule.

Client auth rules also are processed oddly - That is, the rulebase match
actually continues until it hits a rule which would deny/reject the
connection so you can actually do:

        [EMAIL PROTECTED]       Internet        HTTP    ClientAuth
        Webproxy        Internet        HTTP    Allow

Because although the first rule matches for the webproxy, the search still
continues and it realises that it doesn't actually need to authenticate the
proxy.

So you can create a rulebase that looks like:

        firewall mgmt/Monitoring rules
        Access to client auth services on firewall (tcp259/900)
        "Stealth" Rule
        Client Auth rules
        General Outbound/Inbound rules
        Usual block & logging set.

                Smaff


--
You happen to be here, now.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to