Mete,
Rule 0 means it's accepted because of some implied rule you have checked in
the rulebase properties. And maybe you have done Automatic NAT on the
Webserver object? I'd recommend to never use Automatic NAT and populate the
NAT rules by hand. Reason: Oversight, control and logging.
Plus, why would the firewall itself initiate a connection with http to an
external site? Or if it does it in place of the webserver (do you have FW-1
set up to act as a proxy for the webserver?) why would the webserver
initiate it? Normally you define objects for the incoming traffic and the
response packets by the server are implied in that rule, so you don't need
a rule where the webserver is the source. Of course I don't know what your
company does, maybe you need to replicate data with external sites, than
it's different.
Just my spontaneous thoughts...Let's see what others have to say.
Cheers
Ralf G.
z+z+z+z+z++z++z+z+z+++z+z++z++z+++z+++z+++z++z+z+z+z++z
Ralf Guenthner, Senior IT Security Consultant
Zentric GmbH & Co. KG - IT Security & Groupware Solutions
Office Phone: +49-6101-556060
Fax: +49-6101-556065
mailto:[EMAIL PROTECTED]
http://www.zentric.com
+z+z+z+z+z++z++z+z+z+++z+z++z++z+++z+++z+++z++z+z+z+z++z
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
