Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: meaning of "both" in a filter statement

RE: meaning of "both" in a filter statement

From: john madincea <JMadincea_at_compuserve.com>
Date: Tue, 28 Jul 1998 19:53:58 -0400

Hal,

there may be other vendor products using this operand, however
I've only seem it used within the IBM firewall (formerly called
Secured Network Gateway).

Its context within this package is used in 2 ways. The first
describes which interface the rule is permitted or denied
on. An example using "both" might include allowing users from
the unsecure (internet) and secured (your wan) interferfaces to
HTTP to a webserver in the DMZ off a third interface. Therefore, it
allows you to write fewer rules. You have to weight whether
its conciseness is more usefull than writing more rules. If you
were ever exposed to C code you'll know what I mean. Some people
write code and document it very well, while others try to condense
it making it harder to understand and maintain.

The second use has to do with the routing of the packet. In this
case the packet can be destined for the firewall or some other
host. Suppose a service (like telnet) is running on a remote host that
your internal clients want to connect to. Suppose for some reason
that you as the administrator also need to telnet to this host. In
this case you can create generic rules that allow the responses from
the remote host to respond to your firewall (your sessions) and internal
client sessions. In this case if you did not use "both" you would have to
write more rules to allow this to happen. The pros and cons are similar
to the HTTP example above.

Please note that I am not advocating that you utilize this feature as I
have found that its best to explicitly write more rules that are easier to
maintain. Give consideration for your peers and anyone that may perform
your job in the future. You also have to consider all of the other
operands being used too.

Good Luck,

John Madincea

-------------Forwarded Message-----------------

From: Hal, INTERNET:hal_at_mrj.com
To: "'firewall-wizards_at_nfr.com'", INTERNET:firewall-wizards_at_nfr.net
        
Date: 7/28/98 1:45 AM

RE: meaning of "both" in a filter statement

Sender: owner-firewall-wizards_at_nfr.net
Received: from nfr.net (tower.nfr.net [208.196.145.10])
        by dub-img-4.compuserve.com (8.8.6/8.8.6/2.12) with ESMTP id BAA19746;
        Tue, 28 Jul 1998 01:45:09 -0400 (EDT)
Received: (from lists_at_localhost)
        by nfr.net (8.8.8/8.8.8) id XAA06634
        for firewall-wizards-outgoing; Mon, 27 Jul 1998 23:23:43 -0500 (CDT)
Received: (from fwiz_at_localhost)
        by nfr.net (8.8.8/8.8.8) id XAA06622
        for firewall-wizards_at_nfr.net; Mon, 27 Jul 1998 23:23:36 -0500 (CDT)
Received: from flash.mrj.com (flash.mrj.com [192.101.175.30])
        by nfr.net (8.8.8/8.8.8) with ESMTP id KAA05727
        for <firewall-wizards_at_nfr.com>; Mon, 27 Jul 1998 10:00:01 -0500 (CDT)
Received: from HAL.mrj.com ([205.160.13.46])
        by flash.mrj.com (8.9.0.Beta5/8.9.0.Beta5) with SMTP id KAA26142
        for <firewall-wizards_at_nfr.com>; Mon, 27 Jul 1998 10:57:02 -0400 (EDT)
Received: by HAL.mrj.com with Microsoft Mail
        id <01BDB94D.EC065420_at_HAL.mrj.com>; Mon, 27 Jul 1998 11:01:35 -0700
Message-ID: <01BDB94D.EC065420_at_HAL.mrj.com>
From: Hal <hal_at_mrj.com>
To: "'firewall-wizards_at_nfr.com'" <firewall-wizards_at_nfr.net>
Subject: meaning of "both" in a filter statement
Date: Mon, 27 Jul 1998 11:01:33 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by nfr.net id KAA05732
Sender: owner-firewall-wizards_at_nfr.net
Precedence: bulk
Reply-To: Hal <hal_at_mrj.com>

This is soemthing of a newbie question but I wonder if anyone can set me straight on it:

Many firewalls have rules in the form (Action, interface, source, source-port, destination dest-port)
where action is the usual permit/deny, interface is outside or inside, source, destination are what they say and permit
wild cards (subnets). OK.

My question is this. On some firewalls the interface spec also includes (besides terms for inside, outside, 3rd) a
term "both." That means apply the permit/deny on traffic appearing at both inside (trusted) and outside (internet) interfaces.

This at first glance seems absurd. It means that traffic going to D from S can move in either direction across the FW. A very unusual arrangement with almost no uses. Obviously there must be a more reasonable explanation

Has anyone found an explanation for what "both" really does.?

Regards Hal
hal_at_mrj.com
Received on Aug 02 1998

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos