Can someone please help with the following question concerning
Checkpoint's FW-1 software:
Is it possible to restrict the enforcement of a rule to
a specific interface on the firewall gateway, and if so, how
do you do it ?
The firewall gateway in question has 3 (physically distinct) network
interfaces: internal, external, DMZ.
A http server sits on the DMZ.
We wish to allow external (Internet) users to access the http server.
We wish to prevent internal users from accessing the http server.
The internal networks are numerous and we do not wish to list them all as
objects in the network objects database.
So something like the following won't do (because the group "INT NET"
consisting of all internal networks is too complex)
Source Destination Services Action Install On
Any http-server http allow gateway
INT NET http-server http deny gateway
Any Any Any deny gateway (default rule)
We wish to have a rule something like:
Source Destination Services Action Install On
Any http-server http allow gateway's external interface
Any Any Any deny gateway (default rule)
In this case the default rule would prevent internal users from
accessing the http-server without us having to add a specific
rule for internal networks.
Can it be done ?
Our FW-1 technical support have been looking at this
question for weeks and have finally come back and (after talking
to Checkpoint) said that it can't be done unless we list all the internal
network objects in a group "INT NET".
The Firewall 3.0 manual implies that it can be done :
"The only way to restrict the enforcement of a rule to a specific
interface is by using INSPECT" FW-1 v3.0 manual P355
but there are no details of how to do it using INSPECT.(The GUI
doesnt allow you to do it.)
Vivek Sajip
ttwvms @
aie .
lreg .
co .
uk
Follow-Ups:
|
|
