[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Possible NT IpForwarding Security Issue.
You should use RFC1918 addresses for your DMZ/Bastion hosts. (10.0.0.0, 192.168.0.0, etc etc) Set your router to block RFC1918 with an access list. (they shouldn't be coming in/out anyway, but just in case...) Setup FW-1 to arp for the "outside/routeable" address of each DMZ/bastion host and use NAT to get the packets to the right host. (this involves local.arp entry, static host route on FW-1, and the appropriate rules/nat rules) This way if you stop the fw services, no NAT can occur even if routing can. (NAT is performed by the FW-1 process) If someone is hitting 200.200.200.200 and FW-1 crashes, it's no longer going to be natted to 10.10.10.10, and that means the host will toss it. They can't reach 10.10.10.10 because RFC1918 is blocked at router. (make sure the ONLY default route you have is to the INTERNET, btw). ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Thursday, January 18, 2001 3:46 PM Subject: [FW1] Possible NT IpForwarding Security Issue. > > > > Hi, > > One question has been occupied us for the past day: > > If the Firewall service goes down or is stop by mistake, Windows NT is Still > Alive > and IPforwarding is enable, would the nt server route packet to the protected > server in the internal network or in the DMZ ? > > Sylvain > > > > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|