Allow Out-of-State Packets for specific TCP services

[Jleung]

I would like to allow out-of-state packets thru the checkpoint without disabling it under global property. Reading previous posting this can be accomplished by editing $FWDIR/lib/user.def on the management station and adding the following:

deffunc user_accept_non_syn() { (src=x.y.z.w, dst=a.b.c.d) or (src=a.b.c.d, dst=x.y.z.w) or dport=22 };

However, my question is whether I can specify network/subnet ip address instead of using hosts ip addresses.

Thanks.

[Lackie]

Unfortunately, I can't find anything that says that you can use subnets in that change, only IP addresses and/or port numbers.