Firewall Wizards mailing list archives

RE: meaning of "both" in a filter statement

From: john madincea <JMadincea () compuserve com>
Date: Tue, 28 Jul 1998 19:53:58 -0400
Hal,

there may be other vendor products using this operand, however
I've only seem it used within the IBM firewall (formerly called
Secured Network Gateway).  

Its context within this package is used in 2 ways.  The first
describes which interface the rule is permitted or denied
on.  An example using "both" might include allowing users from
the unsecure (internet) and secured (your wan) interferfaces to 
HTTP to a webserver in the DMZ off a third interface.  Therefore, it 
allows you to write fewer rules.  You have to weight whether 
its conciseness is more usefull than writing more rules.  If you 
were ever exposed to C code you'll know what I mean.  Some people 
write code and document it very well, while others try to condense 
it making it harder to understand and maintain.

The second use has to do with the routing of the packet.  In this
case the packet can be destined for the firewall or some other
host. Suppose a service (like telnet) is running on a remote host that
your internal clients want to connect to.  Suppose for some reason
that you as the administrator also need to telnet to this host.  In 
this case you can create generic rules that allow the responses from 
the remote host to respond to your firewall (your sessions) and internal 
client sessions.  In this case if you did not use "both" you would have to 
write more rules to allow this to happen.  The pros and cons are similar
to the HTTP example above.

Please note that I am not advocating that you utilize this feature as I 
have found that its best to explicitly write more rules that are easier to
maintain.  Give consideration for your peers and anyone that may perform
your job in the future.  You also have to consider all of the other 
operands being used too.  

Good Luck,

John Madincea


-------------Forwarded Message-----------------

From:   Hal, INTERNET:hal () mrj com
To:     "'firewall-wizards () nfr com'", INTERNET:firewall-wizards () nfr net
        
Date:   7/28/98  1:45 AM

RE:     meaning of "both" in a filter statement

Sender: owner-firewall-wizards () nfr net
Received: from nfr.net (tower.nfr.net [208.196.145.10])
        by dub-img-4.compuserve.com (8.8.6/8.8.6/2.12) with ESMTP id BAA19746;
        Tue, 28 Jul 1998 01:45:09 -0400 (EDT)
Received: (from lists@localhost)
        by nfr.net (8.8.8/8.8.8) id XAA06634
        for firewall-wizards-outgoing; Mon, 27 Jul 1998 23:23:43 -0500 (CDT)
Received: (from fwiz@localhost)
        by nfr.net (8.8.8/8.8.8) id XAA06622
        for firewall-wizards () nfr net; Mon, 27 Jul 1998 23:23:36 -0500 (CDT)
Received: from flash.mrj.com (flash.mrj.com [192.101.175.30])
        by nfr.net (8.8.8/8.8.8) with ESMTP id KAA05727
        for <firewall-wizards () nfr com>; Mon, 27 Jul 1998 10:00:01 -0500 (CDT)
Received: from HAL.mrj.com ([205.160.13.46])
        by flash.mrj.com (8.9.0.Beta5/8.9.0.Beta5) with SMTP id KAA26142
        for <firewall-wizards () nfr com>; Mon, 27 Jul 1998 10:57:02 -0400 (EDT)
Received: by HAL.mrj.com with Microsoft Mail
        id <01BDB94D.EC065420 () HAL mrj com>; Mon, 27 Jul 1998 11:01:35 -0700
Message-ID: <01BDB94D.EC065420 () HAL mrj com>
From: Hal <hal () mrj com>
To: "'firewall-wizards () nfr com'" <firewall-wizards () nfr net>
Subject: meaning of "both" in a filter statement
Date: Mon, 27 Jul 1998 11:01:33 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by nfr.net id KAA05732
Sender: owner-firewall-wizards () nfr net
Precedence: bulk
Reply-To: Hal <hal () mrj com>

This is soemthing of a newbie question but I wonder if anyone can set me straight  on it:

Many firewalls have rules in the form  (Action, interface, source, source-port, destination dest-port)
where action is the usual permit/deny, interface is outside or inside, source, destination are what they say and permit 
wild cards (subnets). OK. 

My question is this.  On some firewalls the interface spec also includes (besides terms for inside, outside, 3rd) a
term "both." That means apply the permit/deny on traffic appearing at both inside (trusted) and outside (internet) 
interfaces. 

This at first glance seems absurd.  It means that traffic going to D from S can move in either direction across the FW. 
A very unusual  arrangement  with almost no uses.   Obviously there must be a more reasonable explanation 

Has anyone found an explanation for what "both" really does.?


Regards Hal
hal () mrj com
Current thread:

Re: meaning of "both" in a filter statement Joseph S. D. Yao (Aug 02)
- <Possible follow-ups>
- RE: meaning of "both" in a filter statement john madincea (Aug 02)
- Re: meaning of "both" in a filter statement Joseph S. D. Yao (Aug 02)