Firewall Wizards mailing list archives
RE: Questions about converting FW-1 ruleset to PIX - sort of...
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Tue, 24 Jan 2006 09:02:53 -0600
On Monday, January 23, 2006 4:55 PM, nick leachman so spake:
My questions is: What is the purpose of having the the servers "and" the dmz network listed in the destination? Is this necessary?
How "old" is the CP? Perhaps those servers were at one time on a different network than the "DMZ" and now that they are on the same network the rule is now redundant. Because the rulesets usually change over time, it is not out of the question that the rules made sense at one point in time, but now do not. The "deny by network" rule should cover it. Don't put in rules that don't make sense. If you don't understand them, then you are apt to mess them up and make things worse. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Questions about converting FW-1 ruleset to PIX - sort of... nick leachman (Jan 23)
- <Possible follow-ups>
- RE: Questions about converting FW-1 ruleset to PIX - sort of... Behm, Jeffrey L. (Jan 24)