The musings of an IT Consultant

Jun 26 2008   2:28PM GMT

Any doesn’t always mean Any…

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks, here’s another little tidbit from the wonderful world of firewalls. In the consulting world I have had to work with my fair share of firewall products. From SMB based devices all the way to the larger Enterprise products. There is one thing that I have run into time and time again and that is the dreaded “Any” rule/object. The reason I say dreaded, is because sometimes what is assumed by Any can end up causing you a ton of headaches.

A lot of firewalls have the ability to create a rule where you can specify to allow Any traffic from Any to Any. Unfortunately as people have found, Any doesn’t always mean Any. What I mean by this is that despite what Any implies, what in actuality happens is that the firewall still ends up blocking some things. When this happens, a network administrator might end up troubleshooting everything and still come up short trying to figure out why things aren’t working properly in the network. I have heard lots of network admins tell me “But I have the firewall configured with an all-open any to any rule for testing! It should work!” and of course it doesn’t. Now not all firewalls are this way but there are some where you will run into this.

So what’s the solution? Turn on detailed logging, and watch the logs for denied traffic. Also using a packet sniffer like Wireshark or Microsoft’s own Network Monitor (found on your server CD by using add/remove components) can help you to determine how the traffic is flowing and what is happening to it. At that point you will be able to determine if a firewall is blocking the traffic or not and be able to fix your problem by creating a rule to allow that type of specific traffic through.


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: