Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 1098 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Negation in packet filter

Nille
Quick question:

Will it be possible to negate networks and services in future releases?

I.e.:

Allow everything to dmz from all networks EXCEPT internal_net.

I sure hope so.

- Nille


This thread was automatically locked due to age.
  • 0
    Hello Nille.

    Your example:
    Allow everything to dmz from all networks EXCEPT internal_net.

    This is already possible. You have to define 2 Rules in PacketFilter.
    1. From internal_net Service Any To dmz Action Drop
    2. From Any Service Any To dmz Action Allow

    Kerim
  • 0 in reply to KerimS
    I realize that it's possible. It just looks messy with so many rules when one should be able to suffice. This is a common feature among other firewalls.
  • 0 in reply to Nille
    Hi,

    that's all fine, but what about NAT-rules?
    There is no way to define S-NAT with destination "ANY but one special Network". Here I need Negation in the definition of a network object, right?

    Markus
Unfiltered HTML