Firewalls: FW-1: Network object definition

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	FW-1: Network object definition
From:	Earl Evans <e_evans @ ix . netcom . com>
Date:	Tue, 16 Jul 1996 18:00:13 -0700
To:	firewalls @ greatcircle . com
Reply-to:	e_evans @ ix . netcom . com

Hi everybody,

I am trying to figure out how to define some basic network objects on
Firewall-1.  I've read the manually thoroughly and am still confused. 
Perhaps some kind soul can give me a hand.

My internal network is 10.x.x.x (unregistered, IANA recommendation), and
is composed of a collection of subnets connected to a backbone.  One of
the interfaces of my Firewall-1 box will be connected to this backbone. 
The other interface of the FW-1 box will be connected to my DMZ, which
is then routed to the Internet.  My intent is to use NAT to translate
the internal addresses to valid ones on the DMZ.  I believe this is a
fairly straightforward and common setup.

I would like to create network objects which represent the internal net
and the Internet so that I can proceed with entering rules in the Rule
Base.  My problem is understanding the specific FW-1 mechanics used to
define these objects.

Some specific issues:

When defining a network object, the dialog box asks for a particular IP
address.  This is odd, because IP networks are generally designated
x.y.z.0 (I'm assuming class C in this example), where x.y.z is the
network portion and .0 represents the network.  There is a space for the
subnet mask in the dialog box...can I assume that the host portion of
the address is ignored and that any host on the resultant net matches
that object?

Although I've used class C subnetting on the internal internetwork
(multiple nets, 10.x.y.z netmask 255.255.255.0), could I use a broader
mask in the FW-1 network object to represent the whole internal network
- i.e., 10.x.y.z netmask 255.0.0.0?  Would this work, or would I be
confusing the system.

Lastly, based on what the manual did contain, I'm thinking the way to
represent the Internet is to first define the internal net and then use
the negate feature to designate "everything else".  Is this accurate?

Any insight would be greatly appreciated, including the mechanics of the
process.  Thanks and Regards,

Earl Evans
-- 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
    []  Earl Evans                "I thought,       []
    []  e_evans @
 ix .
 netcom .
 com      therefore I was" []
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Indexed By Date	Previous:	Re: ports 137 & 138 From: meowmyx @ morebbs . com
Indexed By Date	Next:	HTTP ?? From: Dick_Wall @ stratus . com
Indexed By Thread	Previous:	FW-1: Defining Network Objects From: Earl Evans <e_evans @ ix . netcom . com>
Indexed By Thread	Next:	FW-1: Network Object Definition From: Earl Evans <e_evans @ ix . netcom . com>