[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] IP Design for transparent firewall

To: "Jason Costomiris" <[email protected]>, "Clayton Nash" <[email protected]>
Subject: Re: [FW1] IP Design for transparent firewall
From: "Tim Holman" <[email protected]>
Date: Wed, 31 Jan 2001 12:37:18 -0000
Cc: <[email protected]>
References: <00bd01c0b83c$8e70f590$1b00a8c0@aenea> <[email protected]>
Sender: [email protected]


NAT is good, and recommended for security reasons.
I've seen people put real Internet address behind their firewalls, but
you're ignoring some quite good things that CP can do, for example security
servers / linking up with 3rd party CVP servers.
If you're just going to route straight through your firewall and not bother
with these extra security features you may as well just install a basic
router with an ACL !

:)

Tim

----- Original Message -----
From: Jason Costomiris <[email protected]>
To: Clayton Nash <[email protected]>
Cc: <[email protected]>
Sent: 29 March 2001 12:44
Subject: Re: [FW1] IP Design for transparent firewall


>
> On Thu, Mar 29, 2001 at 11:39:36AM +0100, Clayton Nash wrote:
> : I'm hosting some servers remotely and have been allocated a block of 16
> : IP addresses by the hosting entity. I'm planning to place a FW1 box in
> : front of everything and would like to be able to use the IP addresses in
> : the most efficient way. The platform will be Intel Linux.
> : I don't want to NAT the boxes behind the firewall for a variety of
reasons.
> : As far as I can see my options are
> : - break the address block into 2 4 address blocks and 1 eight address
> : block -- use on four block on the public side of the firewall and the
> : rest on the other side
> : In this case, I assume I have to do proxy arp on the public firewall
> : interface?
>
> In a typical colo environment, the ISP gives you one IP address to put on
> your edge device, be it a router or a firewall, PLUS an IP allocation for
> the network you're building.  You should check with the ISP on that.
>
> --
> Jason Costomiris <><           |  Technologist, geek, human.
> jcostom {at} jasons {dot} org  |  http://www.jasons.org/
>           Quidquid latine dictum sit, altum viditur.
>                     My account, My opinions.
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] IP Design for transparent firewall
  - From: "Clayton Nash" <[email protected]>
- Re: [FW1] IP Design for transparent firewall
  - From: Jason Costomiris <[email protected]>

Prev by Date: [FW1] FWZ, SecureClient and Topolgies
Next by Date: [FW1] Too many e-mail recipients
Prev by thread: Re: [FW1] IP Design for transparent firewall
Next by thread: Re: [FW1] IP Design for transparent firewall
Index(es):
- Date
- Thread