Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Web server in DMZ

To: "Ivan More" <[email protected]>, <[email protected]>
Subject: Re: [FW1] Web server in DMZ
From: "Carl E. Mankinen" <[email protected]>
Date: Fri, 8 Jun 2001 14:13:41 -0400
References: <[email protected]>
Sender: [email protected]

Why do you use the arp -s command ?
It does not tell the firewall to RESPOND to ARP requests for that IP address.
All it does is stuffs the arp cache on the firewall with the entry so that it will not bother to arp for it on it's own behalf.
(not entirely usefull, except in some esoteric cases)

You need to use local.arp if you wish FW1 to respond to ARP requests for addresses other than it's own interfaces.
It sure would be nice if in the firewall objects database they would add a field for ARP. Also, keep in mind that when
you change the contents of the local.arp file, you must restart the fw daemon in order for this change to take effect.

How do you check for the ARP function? Punch in a sniffer and watch the ARP requests....simple.
You might want to review the OSI model and get a good understand for what layer FW1 operates on and that will
tell you what tools you need to use to accomplish your tasks.

----- Original Message ----- 
From: "Ivan More" <[email protected]>
To: "James Clarke" <[email protected]>; <[email protected]>
Sent: Thursday, June 07, 2001 6:11 AM
Subject: RE: [FW1] Web server in DMZ


> 
> Hi,
> 
> Thanks for the many response, we are using FW-1
> version 4.0 on NT4. 
> 
> Yes, we have added the route to the Route Table as
> below
> 
> route add -p internal_ip mask 255.255.255.255
> DMZ_interface metric 1
> 
> We also added the arp but we created a bat file to run
> during startup for the arp (we run this bat file
> before we do the test, will there be a problem)
> 
> arp -s   external_ip   Mac address  FW1_external_ip
> 
> We do not have a local.arp file in the
> c:\winnt\fw\state directory, can we just create it and
> input the Web server External_ip and the Mac address
> of the FW external_ip.
> 
> We are using Stat NAT.
> 
> How would I check if the FW-1 is answering the ARP
> request for the NATed address?
> 
> We are still unsuccessful. What else did we missed?
> 
> 
> Cheers,
> Ivan
> 
> --- James Clarke <[email protected]> wrote:
> > Have you set up the static route and the local.arp
> > file to reflect the
> > internal static NAT?  Also what platform are you on?
> > 
> > James.
> > 
> > -----Original Message-----
> > From: Ivan More [mailto:[email protected]]
> > Sent: 05 June 2001 11:00
> > To: [email protected]
> > Cc: [email protected]
> > Subject: [FW1] Web server in DMZ
> > 
> > 
> > 
> > Hi,
> > 
> > We are trying to setup a web server in the DMZ for
> > public access. But we are not successful. 
> > 
> >   Internet
> >   ******** 
> >      |
> >      |
> >      |
> >      |
> >      |
> > -----------
> > |          |
> > |          |           ----- DMZ
> > |   FW     |-----------|   | web server 
> > |          |           ----- internal IP 10.1.1.100
> > |          |                 external IP 
> > ------------
> >      |
> >      |
> >   ******
> >   Office
> > 
> > 
> > In our rule base we have
> > 
> > source    destination    service 
> > Any       Web server     http
> >           NAT to 
> >           external IP
> > 
> > We did not see any traffic connecting to this web
> > server even when we try to connect to it (not using
> > VPN). What did I missed out?
> > 
> > 
> > Any help will be appreciated. Thanks.
> > 
> > 
> > Cheers,
> > Ivan
> > 
> >
> _______________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.ca address at
> > http://mail.yahoo.ca
> > 
> > 
> >
> ============================================================================
> > ====
> >      To unsubscribe from this mailing list, please
> > see the instructions at
> >               
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> > ====
> 
> 
> _______________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.ca address at http://mail.yahoo.ca
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] Web server in DMZ
  - From: Ivan More <[email protected]>

Prev by Date: Re: [FW1] Consulta
Next by Date: [FW1] SecuRemote and Win2K
Previous by thread: RE: [FW1] Web server in DMZ
Next by thread: RE: [FW1] Web server in DMZ
Index(es):
- Date
- Thread