Clarrisa
You are right, the rule will catch and drop traffic except from the
10.10.10.1 address to your webserver. (Note that your rule would not
catch non-http traffic to the web server. watch out for rules further
down your rulebase that may allow non-http traffic to hit the
server). To do what your require, you would then have to put a second
rule below that to catch and accept the 10.10.10.1 address to the web
server. The negate action doesn't cause the rules to expand their
functionality.
If you just had a rule that accepted traffic from 10.10.10.1, then
all other traffic would continue down the rulebase and get caught by
the cleanup rule. For maximum peace of mind, use two rules, first one
to explicitly ALL traffic except 10.10.10.1 and the second to
explicitly allow the 10.10.10.1 traffic on the http port to the
server.
regards
Richard Turner
>-------- ORIGINAL MESSAGE BELOW --------
>
>
>Hello,
>
>I am hoping someone could help me understand the logic of a negate
>in a DROP rule.
>
>I have a similar rule which is as follows (IPs have been replaced):
>
>Source Dest. Service. Action.
>10.10.10.1 192.168.10.1 http Drop.
>negated(X)
>
>From my understanding, this means all addresses EXCEPT 10.10.10.1
>will be dropped. This part I understand.
>
>However, does this mean that 10.10.10.1 will be ACCEPTED for http?
>i.e. - in a negate rule, are there two parts to the logic? The first
>part says all addresses except the negated one will be dropped, and
>the next part says the negated will be accepted?
>
>OR, will i need to put in another rule to allow 10.10.10.1 to go to
>192.168.10.1 for http?
>
>I am doing a negate to save having to put two rules in. What my
>objective is drop all traffic for http to the 192.168.10.1
>(inside my LAN) from the Internet, EXCEPT I still want 10.10.10.1
>(an internet address) to be allowed.
>
>If anyone understands exactly how negate works in a drop rule, I
>would truly appreciate an explanation. (i don't have any test
>machines to try this out)
>
>Thanks!
>:)
>-Clarrisa
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
>
______________________________________________________________________
First Option's outgoing email policy is at
http://www.firstoption.com/emailpolicy.html, but a short summary is :-
- all email/attachments are confidential; do not use, circulate or release
without our consent
- email is not authorised unless it is on First Option business
- email is not binding unless it is from an authorised person
and is signed with a digital certificate
First Option Ltd. - Switchboard +44 (0) 1962 738200
Signal House, Jacklyns Road, Alresford, Hants, SO24 9JJ, United Kingdom
_______________________________________________________________________
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
