From: Erich Titl <erich.titl@th...> - 2004-11-15 17:05:22
I have the following policy rules defined on a firewall
Rule Src Dst Service Action Time
0) Any Any ip_fragments Deny Any
1) Any Any Useful_ICMP Allow Any
The compiler barfs at me with rule 0 shadowing rule 1. This used to pass (at=
least some time ago).
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
On Nov 15, 2004, at 9:05 AM, Erich Titl wrote:
> I have the following policy rules defined on a firewall
> Rule Src Dst Service Action Time
> 0) Any Any ip_fragments Deny Any
> 1) Any Any Useful_ICMP Allow Any
> The compiler barfs at me with rule 0 shadowing rule 1. This used to=20
> pass (at least some time ago).
this is because the change I've done recently to make IP service object=20=
with protocol '0' shade everything. This makes sense since such service=20=
object essentially means any service, just like 'any'.
The code did not check for IP flags though, so IP service object with=20
protocol '0' and some flags still shades everything. I am going to=20
change it so it will take more conservative approach and not assume=20
that. The IP service with protocol '0' and any flag(s) set will only=20
shade another IP service object with the same combination of flags.
> P=FCntenstrasse 39
> 8143 Stallikon
> PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
> This SF.Net email is sponsored by: InterSystems CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database that combines
> robust object and relational technologies, making it a perfect match
> for Java, C++,COM, XML, ODBC and JDBC. http://www.intersystems.com/match8
> Fwbuilder-discussion mailing list