[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] what occurs first NAT or RULEBASE
Erik, Thanks for this post... as an FYI - since it was my turn to do a write up for Security Portal for this week (publishing on July 2) - I made sure to note this clarification and also noted it to their editors... I think the author of last week's digest might have overlooked the details when including this thread in the digest - a simple mistake. Anyways, the clarification should be up this Monday. :) Amin Tora, CISSP ePlus Technology http://www.eplus.com NASDAQ: PLUS -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, June 26, 2001 6:29 PM To: [email protected] Subject: RE: [FW1] what occurs first NAT or RULEBASE HI, I know that the correct answers to this topic already has been published, but somehow this must have been a little confusing to some people. The wrong answer was at least published at http://securityportal.com/topnews/weekly/checkpoint.html in their weekly Check Point rundown the 25 of June. NAT DOES NOT HAPPEN FIRST!!!! (normally) This is thouroughly described in Chapter 14 (page 425-475) of The Security Admin Guide to Firewall-1 CP2000. The descriptions in this chapter should cover this in detail, but to say it short. Check Point has three different NAT modes; Static Destination, Static Source and HIDE. They work as follows; 1. HIDE Client initialize comm. --> Inspected by Firewall (both Inbound and Outbound) --> Packet get's translated (Source Hidden) --> Leaves Gateway . (NAT LAST THING THAT HAPPENS) 2. Static Destination Client initialize comm. --> Inspected by Firewall (both Inbound and Outbound) --> Packet get's translated (Destination address is translated) --> Leaves Gateway . (NAT LAST THING THAT HAPPENS) 3. Static Source Client initialize comm. --> Inspected by Firewall (both Inbound and Outbound) --> Packet get's translated (Source Address is translated) --> Leaves Gateway . (NAT LAST THING THAT HAPPENS) NB! reply packets is translated before they enter the gateway. This means that the setup will have impact on Anti-Spoofing rules. This statement (which was published at SecurityPortal) is misleading and totally wrong: "You truly don't allow inbound traffic to the Public IP.. you allow inbound traffic to the object, which should have a private IP as it's IP and a public IP as it's NAT.. Think of it also as, it NAT's first since you have to route to the private IP.. always NAT first inbound, last outbound." If NAT was the first thing that happened within the gateway you would NOT need to add a Host Route pointing the external address to the internal one. Routing happens within the operating system after it leaves the Firewall-1 inbound inspection, if the packet already is translated it would be no need to tell the OS that the external address is on the inside (which would then had been wrong). And if you manually define the rules you would HAVE TO add a rule to accept communication to the external (or public) address. /erik ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|