Any does not mean Any Service There are some services that will not work for an "Any," this is correct. These are services that require calls to INSPECT code within FireWall-1 to work correctly. They will not be properly allowed without an explicit reference to the service in the rulebase or without being properly enabled in Policy Properties.
In NG, each service defined in the GUI has an option labeled "Match for Any" in the advanced properties. If this property is checked, the service will be included in "Any." Services that do not have this checked will not be included in the "Any" definition.
The following is a non-exhaustive list of services in FireWall-1 4.1 and earlier that will require explicit rules with the explicit service to be allowed correctly (i.e. "any" will not allow these services) which was derived from a cursorary look at the INSPECT files inlcuded in $FWDIR/lib:
- FTP
- RPC
- sunRSH
- REXEC
- VDLLive
- Real Audio
- RTSP
- SQL*Net2
- FreeTel
- CoolTalk
- H.323
- NetShow
- Winframe
- Backweb
- IIOP
- CVP
- RTSP
- X11
--
GuyR - 15 Jan 2004
FAQForm FAQs.Class:
ServicesFAQs FAQs.OS: FAQs.Version: