Creating an internet object

[saffa2005]

Hi,
What's the best way to create an 'Internet' network object that represent the www?

do i create a group of network addresses and exclude private netwrok ranges?

have a few machines on our DMZ that requires internet access only.. no internal access.

thanks in advance.

 

[rn4it]

create a group with all you internal objects in it for destination, add it to the rule that will be your access to the internet. Right click on the object in the rule and selecte negate cell. so the rule would look something like
DMZnodes=>internalnets(negated)=>allowed services=>accept

cheers

 

[saffa2005]

thanks for the info..
however is it not deemed a 'risky' option to negate networks?
cheers

 

[watchguardmonkey]

what rn4it's rule is doing, is to allow the DMZ machines to send traffic to any network EXCEPT the negated ones.

 

[stooo]

Another way of doing pretty much the same thing would be to have a rule saying

Source - Any
Destination - internal nets
service - any
action - drop

and then below it

source - DMZ servers
Destination - Any
Service - whatever services
Action - Accept

Obviously these would need to be positioned correctly in you policy so they don't drop valid traffic