BM36EE on NW60

After having deleted all default filter exceptions I set up everything
as
needed, primarily http and https through http-proxy as described in
Craig
Johnsons book. It is a sbs-single-server-enviroment, so dns/dhcp and
netshield are on the same server as bm36ee. Both functions had
problems
with access to the web (dns with forwarding, netshield with pasv-ftp
for
updates).

After checking with SET FILTER DEBUG = ON for discarded packets I
found
both dns (definetely) and ftp (quite sure) were comming from the
public
ip-address, what should make it coming through the http-proxy (no
other
proxies are activated - please correct me in case there are other
ways).

After setting up all exceptions as listed below everything is running
fine
from applications point of view. The question is, is it fine under
security
aspects?


Exceptions:

#1
Packet Type: ftp-port-pasv-st

Source: EXTERN
All Circuits
10.0.0.1

Destination: EXTERN
All Circuits
Any Address

Comment: Craig: FTP through proxy only, p279, 07.09.03 KK

#2
Packet Type: dns/udp-st

Source: EXTERN
All Circuits
10.0.0.1

Destination: EXTERN
All Circuits
Any Address

Comment: Craig: DNS/UDP through proxy only, p279, 07.09.03

#3
Packet Type: new http-st

Source: EXTERN
All Circuits
10.0.0.1

Destination: EXTERN
All Circuits
Any Address

Comment: Craig: Allow outbound http/proxy only, p278.

#4
Packet Type: new https-st

Source: EXTERN
All Circuits
10.0.0.1

Destination: EXTERN
All Circuits
Any Address

Comment: Craig: Allow outbound https/proxy only, p278.

#5
Packet Type: new nntp-st

Source: EXTERN
All Circuits
10.0.0.1

Destination: EXTERN
All Circuits
Any Address

Comment: Craig: Allow non-standard/proxy only, p279.