NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] IP aliases in a box on DMZ



Background:

Nokia, IPSO 3.3 running FW-1 4.1 SP 3 (Build 41821) is configured with
three interfaces: secured, dmz, public.  A linux box (SuSe 7.2, kernel
2.4.4) is connected to the DMZ.  The FW-1 policy is configured to NAT the
secured network, including when it connects to the DMZ.  10/100 switches
are used on all networks.  FW-1 is configured to log all implied rules.

The Linux box is configured with an address on the DMZ network, 10.0.0.1.
When I add an alias (using # ifconfig eth0:0 10.0.0.2) the FW blocks
connections to the machine on both the first address and the alias.  I've
stepped up logging with some rules at the top of my ruleset including
logging every ICMP packet between a machine on the secured network and the
target linux box.  When the alias is enabled, the FW appears to silently
drop reply packets from the Linux box.  I've run tcpdump on both the
Nokia DMZ interface and the secured interface and I see the same thing as
in the FW logs: ICMP echo request from the secured network hits the Linux
box, the Linux box replies, but the packet never emerges from the Nokia
secure interface.  tcpdump shows that the Linux box is replying with the
"correct" address; when I ping the first address the reply originates with
the first address in the header, etc.

Note: This configuration works without the firewall in the mix.  I've
configured Linux identically on identical hardware and IP aliasing works
fine, so there is not a problem with the Linux IP aliasing per se.

Oddly, if the Linux box on the DMZ originates the ICMP packets the
requests are able to reach the secured network (and the replies reach the
Linux box).  tcpdump shows that (correctly) when the source is internal
the packets are NATed and the linux box replies to the NAT address, and
when the source is on the DMZ nothing is NATed.

This does not appear to be an arp problem because other machines on the
DMZ (including the Nokia) have accurate arp entries for the Linux box's
first address and alias.

I'm at a loss as to why merely enabling IP aliasing causes FW-1 to
silently drop packets.  Any help would be much appreciated.


Matt

--
Matthew S. Cramer <[email protected]>          Office:Lead Security Analyst                               Fax:Armstrong Information Technology Services           Pager:Armstrong World Industries, Inc.                    Cell:===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.