Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] what occurs first NAT or RULEBASE

To: [email protected]
Subject: RE: [FW1] what occurs first NAT or RULEBASE
From: [email protected]
Date: Wed, 27 Jun 2001 00:28:30 +0200
Sender: [email protected]


HI,

I know that the correct answers to this topic already has been published,
but somehow this must have been a little confusing to some people. The wrong
answer was at least published at
http://securityportal.com/topnews/weekly/checkpoint.html in their weekly
Check Point rundown the 25 of June.


NAT DOES NOT HAPPEN FIRST!!!! (normally)

This is thouroughly described in Chapter 14 (page 425-475) of The Security
Admin Guide to Firewall-1 CP2000. The descriptions in this chapter should
cover this in detail, but to say it short. Check Point has three different
NAT modes; Static Destination, Static Source and HIDE. They work as follows;

1.	HIDE
	Client initialize comm. --> Inspected by Firewall (both Inbound and
Outbound) --> Packet get's translated (Source Hidden) --> Leaves Gateway .
(NAT LAST THING THAT HAPPENS)

2.	Static Destination
	Client initialize comm. --> Inspected by Firewall (both Inbound and
Outbound) --> Packet get's translated (Destination address is translated)
--> Leaves Gateway . (NAT LAST THING THAT HAPPENS)

3.	Static Source
	Client initialize comm. --> Inspected by Firewall (both Inbound and
Outbound) --> Packet get's translated (Source Address is translated) -->
Leaves Gateway . (NAT LAST THING THAT HAPPENS)


NB! reply packets is translated before they enter the gateway. This means
that the setup will have impact on Anti-Spoofing rules.

This statement (which was published at SecurityPortal) is misleading and
totally wrong:

"You truly don't allow inbound traffic to the Public IP.. you allow inbound
traffic to the object, which should have a private IP as it's IP and a
public IP as it's NAT.. Think of it also as, it NAT's first since you have
to route to the private IP.. always NAT first inbound, last outbound."



If NAT was the first thing that happened within the gateway you would NOT
need to add a Host Route pointing the external address to the internal one.
Routing happens within the operating system after it leaves the Firewall-1
inbound inspection, if the packet already is translated it would be no need
to tell the OS that the external address is on the inside (which would then
had been wrong). And if you manually define the rules you would HAVE TO add
a rule to accept communication to the external (or public) address. 


/erik


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: FW: [FW1] How are Nokia's Products
Next by Date: RE: [FW1] Site says that it is not a CA
Previous by thread: RE: [FW1] what occurs first NAT or RULEBASE
Next by thread: RE: [FW1] what occurs first NAT or RULEBASE
Index(es):
- Date
- Thread