RE: Firewall Policy Rules Order

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 05 Oct 2004 22:56:05 -0700

Again, that's incorrect; absolutely, positively pay attention to the rule order.
"The effective permissions" are determined by rule order more than any other 
factor.
You ignore this fact at your own risk.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Tue, 5 Oct 2004 22:09:06 -0400
 "Ara Avvali" <ara@xxxxxxxxxx> wrote:
http://www.ISAserver.org

Of course it does. Order of rules makes the passing rule from one to other
but what I mean we should look at the result not the way it is set
What I meant was to pay attention to result not to rules it self


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: October 5, 2004 12:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Firewall Policy Rules Order

http://www.ISAserver.org

That statement is absolutely, blatantly incorrect.
Rule order is very much important.
For instance, if you have a rule that allows anonymous SMTP for your mail
server that follows a rule allowing HTTP for authenticated 
users, the mail server will fail at the HTTP rule.

Generally speaking, you want to order your rules as:
Anonymous Deny rules
Anonymous Allow rules
User-based Deny rules
User-based Allow rules

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: "Ara Avvali" <ara@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, October 04, 2004 04:59
Subject: [isalist] RE: Firewall Policy Rules Order


http://www.ISAserver.org

Hi
Add rules based on group or ip address to it. Also as far as I know it
doesn't matter what order they are; it matters to see what will be the
effective permissions


-----Original Message-----
From: Raji Arulambalam [mailto:RajiA@xxxxxxxxxxxxxx]
Sent: October 4, 2004 12:28 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Firewall Policy Rules Order

http://www.ISAserver.org

Hi

I know that the rules are executed top down, but what is best practice in
grouping the rules in Firewall Policy
1) Outgoing Access rules
2) Incoming Access rules
3) Web Server Publish
4) Mail Server
5) Server Publish


Thanks
Email disclaimer: This email and any attachments are confidential. If you
are not the intended recipient, do not copy, disclose or use the contents in
any way. If you receive this message in error, please let us know by return
email and then destroy the message. Environment Bay of Plenty is not
responsible for any changes made to this message and/or any attachments
after sending.
******************************************************
This e-mail has been checked for viruses and no viruses were detected.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order
• » RE: Firewall Policy Rules Order

1. Home
2. isalist
3. Archive
4. 10-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---