[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] IP aliases in a box on DMZ
Background: Nokia, IPSO 3.3 running FW-1 4.1 SP 3 (Build 41821) is configured with three interfaces: secured, dmz, public. A linux box (SuSe 7.2, kernel 2.4.4) is connected to the DMZ. The FW-1 policy is configured to NAT the secured network, including when it connects to the DMZ. 10/100 switches are used on all networks. FW-1 is configured to log all implied rules. The Linux box is configured with an address on the DMZ network, 10.0.0.1. When I add an alias (using # ifconfig eth0:0 10.0.0.2) the FW blocks connections to the machine on both the first address and the alias. I've stepped up logging with some rules at the top of my ruleset including logging every ICMP packet between a machine on the secured network and the target linux box. When the alias is enabled, the FW appears to silently drop reply packets from the Linux box. I've run tcpdump on both the Nokia DMZ interface and the secured interface and I see the same thing as in the FW logs: ICMP echo request from the secured network hits the Linux box, the Linux box replies, but the packet never emerges from the Nokia secure interface. tcpdump shows that the Linux box is replying with the "correct" address; when I ping the first address the reply originates with the first address in the header, etc. Note: This configuration works without the firewall in the mix. I've configured Linux identically on identical hardware and IP aliasing works fine, so there is not a problem with the Linux IP aliasing per se. Oddly, if the Linux box on the DMZ originates the ICMP packets the requests are able to reach the secured network (and the replies reach the Linux box). tcpdump shows that (correctly) when the source is internal the packets are NATed and the linux box replies to the NAT address, and when the source is on the DMZ nothing is NATed. This does not appear to be an arp problem because other machines on the DMZ (including the Nokia) have accurate arp entries for the Linux box's first address and alias. I'm at a loss as to why merely enabling IP aliasing causes FW-1 to silently drop packets. Any help would be much appreciated. Matt -- Matthew S. Cramer <[email protected]> Office:Lead Security Analyst Fax:Armstrong Information Technology Services Pager:Armstrong World Industries, Inc. Cell:=============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|