RE: Priority of Firewall Rules

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 01 Oct 2004 06:11:17 -0700

Here's the deal; since you want to limit DNS to a specific computer,
1 - step away from the "Users" tab in the DNS rule
2 - place your anonymous (DNS) rules before your authentication (user-specific) 
rules or the anonymous connection will fail for lack of authentication.
3 - use subnet, address set, computer, <blah-blah> andything EXCEPT users. in 
the anonymous rule (DNS)
4. leave the "Users" tab empty, or select "All Users", but nothing else
5 - in the "From" tab, select (may have to create) the conputer object that 
represents the DNS server


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Fri,  1 Oct 2004 00:27:23 -0700
 <auto122605@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi Jim,

What do you mean no user tab for computer object?  What you are saying
is creating a server publishing rule right?  Though what i am doing is
an access rule not a server publishing rules, therefore there is the
user tab.

Also i do not want to publish the dns server, i just want it to be able
to make requests (DNS) to the internet, its an internal dns server.

Now in the user's tab what shall i specify?  IF i specify nothing it
won't work, not even if i specify system and network service.

Any idea?

Regards,
Nick Holmes

On Thu, 30 Sep 2004 08:00:57 -0700 Jim Harrison <jim@xxxxxxxxxxxx> wrote:
>http://www.ISAserver.org
>
>No use user tab for computer object.
>Use "From" tab and select desired item from "computers" list in
>"network Objects. when you click "Add".
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://isaserver.org/Jim_Harrison/
>  http://isatools.org
>  Read the help / books / articles!
>
>----- Original Message ----- 
>From: <auto122605@xxxxxxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Thursday, September 30, 2004 07:19
>Subject: [isalist] RE: Priority of Firewall Rules
>
>
>http://www.ISAserver.org
>
>Hi,
>
>That is what i am doing in fact...
>
>the rule is :
>
>from : xxx.xxx.xxx.xxx (which is the internal ip of the dns server)
>to : external
>Protocol: DNS
>User - what do i specify here?  If i leave it empty it won't work
>at
>all!
>
>Any idea?
>
>On Thu, 30 Sep 2004 06:38:49 -0700 Jim Harrison <jim@xxxxxxxxxxxx>
>wrote:
>>http://www.ISAserver.org
>>
>>"There are other tabs than these"
>>(three social point if you can identify author, book, character
>>for this mangle misquote)
>>
>>Use the "from" tab when you want to create "non-human" limitations
>>in your rules.
>>
>>  Jim Harrison
>>  MCP(NT4, W2K), A+, Network+, PCG
>>  http://isaserver.org/Jim_Harrison/
>>  http://isatools.org
>>  Read the help / books / articles!
>>
>>
>>On Thu, 30 Sep 2004 00:45:01 -0700
>> <auto122605@xxxxxxxxxxxx> wrote:
>>http://www.ISAserver.org
>>
>>Hi Tom,
>>
>>Thanks for your reply.  Regarding create a computer object, in
>the
>>users
>>section you can only specify a user right or a group?  Correct
>me
>>if
>>i am wrong.. also can you explain further regarding this issue
>(Creating
>>a computer account instead of everyone)? 
>>
>>Cause i already asked ones in the mailing list about this but never
>>got
>>a reply.
>>
>>On Wed, 29 Sep 2004 08:34:40 -0700 Thomas W Shinder <tshinder@xxxxxxxxxxx>
>>wrote:
>>>http://www.ISAserver.org
>>>
>>>Also, don't allow EVERYONE to use DNS. Create a computer object
>>>for your
>>>DNS server.
>>>
>>>HTH
>>>
>>>Tom
>>>www.isaserver.org/shinder
>>>Get the book!
>>>Tom and Deb Shinder's Configuring ISA Server 2004
>>>http://tinyurl.com/3xqb7
>>>MVP -- ISA Firewalls
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: auto122605@xxxxxxxxxxxx [mailto:auto122605@xxxxxxxxxxxx]
>>>
>>>Sent: Wednesday, September 29, 2004 10:12 AM
>>>To: [ISAserver.org Discussion List]
>>>Subject: [isalist] Priority of Firewall Rules
>>>
>>>
>>>http://www.ISAserver.org
>>>
>>>I have just 2 rules on my isa 2K4 which are:
>>>
>>>(Rule 1)
>>>Allow - (From) xxx.xxx.xxx.xxx to  external
>>>Protocol - DNS 
>>>Users - All users
>>>
>>>and 
>>>
>>>(Rule 2)
>>>Allow - (From) Internal network to external 
>>>Protocol - Any
>>>Users - User1
>>>
>>>Like this i have a DNS server which uses forwarders from the internet
>>>and is used as an internal network DNS Server.  When I move Rule
>>>2
>>>before
>>>Rule 1 the DNS stops working.  How is this behaviour?  Is it cause
>>>Rule
>>>2 allows only a specific user to access the internet therefore
>>>automatically
>>>all other users are denied?  And therefore the DNS Server stops
>>>working?
>>>
>>>
>>>Thanks..
>>>Nick Holmes
>>>
>>>

Other related posts:

• » Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules
• » RE: Priority of Firewall Rules

1. Home
2. isalist
3. Archive
4. 10-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---