Thank you for correcting me.
On Fri, 9 Feb 2001, Chris Arnold wrote:
> Actually, RFC791 specifies an 8 bit field in IP packets to identify the
> following protocol type. This means that 256 encapsulated IP protocol types
> could exist. Currently, 134 of them are assigned by IANA.
>
> TCP= IP protocol 6
> UDP= IP protocol 17
> ICMP= IP protocol 1
>
> Chris
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 1:00 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [FW1] Any-->does this include....
>
>
>
>
> Yes Frank, that is exactly what he was trying to suggest. But that is not
> correct. any any any accept still does impose traffic restrictions.
>
> And as far as I am aware ICMP, UDP and TCP are the only IP protocols that
> exist.
>
> Thanks,
>
> Paul
>
> On Fri, 9 Feb 2001, Frank Knobbe wrote:
>
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, February 09, 2001 8:47 AM
> > >
> > > Correct me if I am wrong, but I think allowing ICMP is part
> > > of the policy
> > > properties.
> > >
> > > I apologize if I am wrong here, I don't have a FW-1 box infront of
> > > me right now.
> > >
> > > The email that I replied to said that any any any accept was
> > > = a router.
> > >
> > > This is FAR from the truth. (Although I wish it was the truth)
> >
> >
> > I don't have that email anymore, but I think the poster was trying to
> > say that Any-Any-Any does not impose any access control restrictions
> > based on source and destination address, and service/protocol. So in
> > essence, yeah would behave like a router if routing is allowed on the
> > box and no address translation rules are in effect.
> >
> > Any as a service includes more than just ICMP. ICMP in the policy
> > allows a subset of the ICMP protocol such as echo, reply, traceroute
> > etc. But there are more IP protocols besides ICMP, TCP and UDP. If
> > you were to allow inbound traffic to a PPTP server for example, you
> > would have a rule that specifies src-dst-GRE, which would allow the
> > GRE protocol (IP protocol 47) to pass through. IPSec is another IP
> > protocol. As far as I know, using any will allow GRE, IPSEc and other
> > IP protocols through. So the statement of TCP/UDP highports was
> > incorrect (what about TCP/UDP low ports? ;) Any is more like any any
> > day if anyone cares anymore anyway...
> >
> > Regards,
> > Frank
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Personal Privacy 6.5.8
> > Comment: PGP or S/MIME encrypted email preferred.
> >
> > iQA/AwUBOoQUZZytSsEygtEFEQI//gCeMFrj+IRyBtZe/VPHDTKC+GzJo+4AnRzp
> > A55x1WaflYWvV+7NVwtXQjiB
> > =1IaS
> > -----END PGP SIGNATURE-----
> >
> >
> >
> ============================================================================
> ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
> >
>
>
--
--Paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
