| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24)
- To: [email protected]
- Subject: Re: [FW-1] FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24)
- From: Mark Thompson <[email protected]>
- Date: Mon, 29 Oct 2001 09:49:00 -0700
- Importance: Normal
- In-reply-to: <3E967765DF7AD411BE5200508B8FA2E801B3B641@EXCHANGE>
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
delete from mailing list
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
Automatic digest processor
Sent: Sunday, October 28, 2001 1:00 AM
To: Recipients of FW-1-MAILINGLIST digests
Subject: FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24)
There are 15 messages totalling 1437 lines in this issue.
Topics of the day:
1. R: [FW-1] Novice with log viewing
2. Ian Hogg2/UK/IBM is out of the office.
3. Solaris 8 with checkpoint one 4.1.2
4. Nokia IP330 Configuration questions
5. Time change and FW1
6. NAT and Lost Connections
7. Help configuring FTP PAssive mode
8. [vpn] RE: [FW-1] VPN with OSPF for Failover (2)
9. messages : /bootpd: Error 0 - in Log
10. Log entries
11. [FW1] FW1 error message
12. Webmail Sites
13. Problem when rebooting LAN clients
14. <No subject given>
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
----------------------------------------------------------------------
Date: Sat, 27 Oct 2001 09:53:28 +0200
From: Francesco Luconi <[email protected]>
Subject: R: [FW-1] Novice with log viewing
maybe just a problem of conversion? did you check the ASCII/BIN status?
i suggest in any case to zip/gzip the file and the ftp them in binary mode.
-----Messaggio originale-----
Da: Mailing list for discussion of Firewall-1
[mailto:[email protected]]Per conto di A/I
Roberto A. Carriquiry
Inviato: venerdì 26 ottobre 2001 15.01
A: [email protected]
Oggetto: [FW-1] Novice with log viewing
I am sorry to ask such a novice "like question", but it would be of much
help if someone can answer me.
I am using Nokia 330 Firewall with ipso. In order to FTP out the logs files
weekly I made a small script that does the fw logswitch and the upload of
the log files into a ftp server.
The problem comes when I try to view the Logs y backed up. I do the FTP in
the other direction (i mean INTO the IPSO) and try to view those files with
the GUI but it rejects saying that the files are not valid LOG files.
Am I doing something wrong? Is there another way to consult the log files
without restoring them into the IPSO again?
Many thanks.
Roberto
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
------------------------------
Date: Sat, 27 Oct 2001 08:53:28 +0100
From: Ian Hogg2 <[email protected]>
Subject: Ian Hogg2/UK/IBM is out of the office.
I will be out of the office starting October 26, 2001 and will not return
until November 5, 2001.
------------------------------
Date: Sat, 27 Oct 2001 12:19:34 +0200
From: Nico De Ranter <[email protected]>
Subject: Re: Solaris 8 with checkpoint one 4.1.2
You'll need SP4(?) or SP5 to run FW-1 on Solaris 8 (32-bit only!!!).
However you can't install SP4/5 if FW-1 so here is the trick: edit
the "InstallU" installation script. Uncomment the section that checks
the Solaris version:
[...snip...]
OS_TYPE=`uname`
#if [ "$OS_TYPE" = 'SunOS' ] ; then
OS_REV=`uname -r`
# if [ $OS_REV = '5.8' ] ; then
# clear
# echo "WARNING:"
# echo "Solaris 2.8 is not supported by Check Point 2000, Service Pack
2."
# exit 1
# fi
OS_TYPE=`uname -p`
#fi
[...snip...]
Now you should be able to install FW-1. Make sure to upgrade IMMEDIATELY to
SP4
or SP5.
Note/disclaimer: I only tested this with the management console! Since the
firewall module will probably make changes to the kernel I'm not sure what
will happen. So make sure not to start the firewall or reboot the machine
before
you upgraded to SP4 or SP5!!!!
Nico
ps: to check whether you are running Solaris 8 in 32 or 64 bit: isainfo -b
On Fri, Oct 26, 2001 at 05:50:38PM -0200, Medeiros, Claudio wrote:
> Hi !
>
> Is anyone running Solaris 8 with Checkpoint1 4.1.2 ??? Has anyone
> implemented this solution?
>
> Because I had the following problems when installing the Checkpoint 4.1.2
> Warning: Solaris 2.8 is not supported by check point 2000, service pack
2.
>
> Then I tried to install checkpoint1 4.1.1 and had the following msg:
> DEVFSADM: Device sucessfully created by failed to attach: Installation
> aborted.
>
> Next step is to try to install NG.
>
> I Appreciate any feedback.
>
> Claudio
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
---------------------------------------------------------
"It has been said that there are only two businesses that
refer to customers as users: illegal drug trade and
the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]
------------------------------
Date: Sat, 27 Oct 2001 11:14:53 +0100
From: "Tim Holman (home)" <[email protected]>
Subject: Re: Nokia IP330 Configuration questions
Drivers are included in the supported version of IPSO for this device, so
the 330 will pick it up straightaway and let you configure via Voyager.
You may want to consult the owner of the other end of your T1 connection to
make sure all the settings are compatible.
Check with Nokia that you have the right version of IPSO. If you've got to
upgrade from 3.2.1, then remember you have to upgrade boot manager
seperately otherwise your box won't come back up... :)
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Kelly,
Patrick
Sent: 26 October 2001 20:32
To: [email protected]
Subject: [FW-1] Nokia IP330 Configuration questions
I am looking at the Nokia IP330
I have ordered the T1/E1 wan card and have questions about deployment.
Is the documentation shipping with the device adequate to install and
configure this card component?
If my company wants to upgrade the T1 circuit from 1.5 M to 3.0 M will this
card handle that?
Thanks for your time.
Patrick Kelly
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.
www.uk.didata.com
**********************************************************************
------------------------------
Date: Sat, 27 Oct 2001 11:14:59 +0100
From: "Tim Holman (home)" <[email protected]>
Subject: Re: Time change and FW1
This is a multi-part message in MIME format.
------=_NextPart_000_001C_01C15ED8.9DED3540
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
As long as all VPN and trusted firewall modules all go back 1 hour as well,
then no....
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Ed
Davidson
Sent: 26 October 2001 19:09
To: [email protected]
Subject: [FW-1] Time change and FW1
Any issues with the time change going back 1 hour this weekend? (I am
aware it doesn't affect all of us.)
This will be my first time doing this w/FW1.
Anything I should be aware of in the log files?
What about my Checkpoint DNS servers? Anything funny happen with them
when the timec hanges?
Thanks!
TruckingJobs
http://www.primeinc.com
**********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email
in error please reply to the sender of the message.
The views expressed in this correspondence may not
reflect the views of Prime, Inc.
This footnote also confirms that this email message has
been scanned for the presence of computer viruses.
***********************************************************************
------=_NextPart_000_001C_01C15ED8.9DED3540
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff>
<DIV><SPAN class=3D2001>As long as all VPN and trusted =
firewall=20
modules all go back 1 hour as well, then no....</SPAN></DIV>
<DIV><SPAN class=3D2001></SPAN> </DIV>
<BLOCKQUOTE>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for =
discussion=20
of Firewall-1 =
[mailto:[email protected]]<B>On=20
Behalf Of </B>Ed Davidson<BR><B>Sent:</B> 26 October 2001 =
19:09<BR><B>To:</B>=20
[email protected]<BR><B>Subject:</B> [FW-1] =
Time=20
change and FW1<BR><BR></FONT></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Any =
issues with=20
the time change going back 1 hour this weekend? (I am aware it =
doesn't=20
affect all of us.)</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>This =
will be my=20
first time doing this w/FW1.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>Anything I should=20
be aware of in the log files?</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>What =
about my=20
Checkpoint DNS servers? Anything funny happen with them when the =
timec=20
hanges? </FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2>Thanks!</FONT></SPAN></DIV>
<DIV> </DIV>
<STYLE type=3Dtext/css>A:link {
COLOR: #400080
}
A:visited {
COLOR: #400080
}
A:active {
COLOR: #000000
}
A.headline {
COLOR: navy; TEXT-DECORATION: underline
}
A:hover {
COLOR: blue; BACKGROUND-COLOR: #ffffff; TEXT-DECORATION: underline
}
A {
FONT-SIZE: 16px; COLOR: black; FONT-FAMILY: arial, sans-serif; =
TEXT-DECORATION: none
}
BODY {
SCROLLBAR-FACE-COLOR: #684878; SCROLLBAR-HIGHLIGHT-COLOR: #ff9999; =
SCROLLBAR-SHADOW-COLOR: #335997; SCROLLBAR-3DLIGHT-COLOR: #335997; =
SCROLLBAR-ARROW-COLOR: #f8ec78; SCROLLBAR-TRACK-COLOR: #b89848; =
SCROLLBAR-DARKSHADOW-COLOR: black
}
</STYLE>
<MARQUEE id=3DMARQUEE1 style=3D"WIDTH: 300px; HEIGHT: 40px" =
scrollDelay=3D30=20
direction=3Dup behavior=3Dslide loop=3D1 height=3D5 border=3D"0"><FONT =
face=3DScript=20
size=3D6><B><SPAN class=3D1999><IMG alt=3D"Edwin =
Davidson"=20
src=3D"http://www.acmenews.com/images/signature.jpg"; =
NOSEND=3D"1"></SPAN></B>=20
</FONT></MARQUEE><BR><FONT =
face=3DCoolsville> <A=20
href=3D"http://www.truckjob.com/";>TruckingJobs</A>=20
<P><FONT size=3D2></FONT> </P></FONT>
<DIV> </DIV><CODE><FONT=20
=
size=3D3><BR><BR>http://www.primeinc.com<BR>*****************************=
*****************************************<BR>This=20
email and any files transmitted with it are confidential<BR>and =
intended=20
solely for the use of the individual or entity to<BR>whom they are =
addressed.=20
If you have received this email<BR>in error please reply to the sender =
of the=20
message.<BR><BR>The views expressed in this correspondence may =
not<BR>reflect=20
the views of Prime, Inc.<BR><BR>This footnote also confirms that this =
email=20
message has<BR>been scanned for the presence of computer=20
=
viruses.<BR>*************************************************************=
**********<BR></BLOCKQUOTE></FONT></CODE></BODY></HTML>
------=_NextPart_000_001C_01C15ED8.9DED3540--
------------------------------
Date: Sat, 27 Oct 2001 11:14:47 +0100
From: "Tim Holman (home)" <[email protected]>
Subject: Re: NAT and Lost Connections
This is a multi-part message in MIME format.
------=_NextPart_000_0018_01C15ED8.9653B660
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
NAT and Lost ConnectionsWeb requests will go via the secure web server
component of Check Point, and in effect are proxied.
Check Point's proxy does fully not support all kinds of web traffic,
especially xml, dhtml and webdav components, so I'd check what your remote
user is trying to do here.
If Check Point doesn't understand or support something, it will show the
connection as accepted, but then the proxy component will drop it without
any warning whatsoever !
Tim
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Rob
Michayluk
Sent: 26 October 2001 19:17
To: [email protected]
Subject: [FW-1] NAT and Lost Connections
Hello,
I am running Checkpoint 4.1 sp4 on Windows NT 4.0 sp6. I have a webserver
in a DMZ that has its address translated at the firewall. The NAT is static,
there is a route on the firewall and an entry in the local.arp file for the
webserver such that the firewall listens on the legal address and routes
traffic for the legal back to the illegal address in the DMZ. In fact,
everything works as it should most of the time. The problem is that
sometimes a host on the internet will attempt to connect to the webserver
and it gets a connection timeout error. For the failed connection, I see a
connection attempt made on the firewall and the connection is accepted, but
there is no corresponding entry on the webserver. I am trying to narrow the
field of investigation and I was wondering if anyone has seen this behaviour
for FW-1 before.
Any information would be helpful.
Thanks!
Rob Michayluk
Computer Network Services Analyst
ACD Systems Ltd.
The Digital Imaging Company
Tel:Fax:[email protected]
www.ACDSYSTEMS.com
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.
www.uk.didata.com
**********************************************************************
------=_NextPart_000_0018_01C15ED8.9653B660
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>NAT and Lost Connections</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3DISO-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si=
ze=3D2>Web=20
requests will go via the secure web server component of Check Point, and in=
effect are proxied.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si=
ze=3D2>Check=20
Point's proxy does fully not support all kinds of web traffic, especially x=
ml,=20
dhtml and webdav components, so I'd check what your remote user is trying t=
o do=20
here.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si=
ze=3D2>If=20
Check Point doesn't understand or support something, it will show the conne=
ction=20
as accepted, but then the proxy component will drop it without any warning=
whatsoever !</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20
size=3D2>Tim</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<BLOCKQUOTE>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT face=3DTah=
oma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for disc=
ussion=20
of Firewall-1 [mailto:[email protected]]<B>On=
Behalf Of </B>Rob Michayluk<BR><B>Sent:</B> 26 October 2001=20
19:17<BR><B>To:</B>=20
[email protected]<BR><B>Subject:</B> [FW-1] NA=
T and=20
Lost Connections<BR><BR></FONT></DIV>
<P><FONT face=3DArial size=3D2>Hello,</FONT> </P>
<P><FONT face=3DArial size=3D2>I am running Checkpoint 4.1 sp4 on Windows=
NT 4.0=20
sp6. I have a webserver in a DMZ that has its address translated at the=
firewall. The NAT is static, there is a route on the firewall and an ent=
ry in=20
the local.arp file for the webserver such that the firewall listens on th=
e=20
legal address and routes traffic for the legal back to the illegal addres=
s in=20
the DMZ. In fact, everything works as it should most of the time. The pro=
blem=20
is that sometimes a host on the internet will attempt to connect to the=
webserver and it gets a connection timeout error. For the failed connect=
ion, I=20
see a connection attempt made on the firewall and the connection is accep=
ted,=20
but there is no corresponding entry on the webserver. I am trying to narr=
ow=20
the field of investigation and I was wondering if anyone has seen this=20
behaviour for FW-1 before.</FONT></P>
<P><FONT face=3DArial size=3D2>Any information would be helpful.</FONT> <=
BR><FONT=20
face=3DArial size=3D2>Thanks!</FONT> </P>
<P><FONT face=3DArial size=3D2>Rob Michayluk</FONT> <BR><FONT face=3DAria=
l=20
size=3D2>Computer Network Services Analyst</FONT> <BR><FONT face=3DArial=
size=3D2>ACD Systems Ltd.</FONT> <BR><FONT face=3DArial size=3D2>The Dig=
ital Imaging=20
Company</FONT> <BR><FONT face=3DArial size=3D2>Tel:</FONT>=
<BR><FONT face=3DArial size=3D2>Fax:</FONT> <BR><FONT fac=
e=3DArial=20
size=3D2>[email protected]</FONT> <BR><U><FONT face=3DArial color=
=3D#0000ff=20
size=3D2>www.ACDSYSTEMS.com</FONT></U> </P><BR></BLOCKQUOTE><CODE><FONT S=
IZE=3D3><BR>
<BR>
**********************************************************************<BR>
This email and any files transmitted with it are confidential and<BR>
intended solely for the use of the individual or entity to whom they<BR>
are addressed. If you have received this email in error please notify<BR>
the system manager.<BR>
<BR>
This footnote also confirms that this email message has been swept by<BR>
Dimension Data mail system for the presence of computer viruses.<BR>
<BR>
www.uk.didata.com<BR>
**********************************************************************<BR>
</FONT></CODE>
</BODY></HTML>
------=_NextPart_000_0018_01C15ED8.9653B660--
------------------------------
Date: Sat, 27 Oct 2001 11:14:37 +0100
From: "Tim Holman (home)" <[email protected]>
Subject: Re: Help configuring FTP PAssive mode
This is a multi-part message in MIME format.
------=_NextPart_000_0014_01C15ED8.90CBB260
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Before trying to do all this 'manually', try selecting the accept FTP PASV
connections tick box in policy properties.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of RBHATIA
Sent: 26 October 2001 23:35
To: [email protected]
Subject: [FW-1] Help configuring FTP PAssive mode
I have FTP active mode enabled on my firewall. Due to port failure errors
I need to switch over to FTP PASSIVE transfer mode. I need help configuring
FTP Passive mode. I've looked all over the Phoneboy.com site but came across
pages concerning the difference between Active and Passive mode but nothing
about actually enabling Passive mode ftp.
I already have FTP control Port (21) open both coming in and going out of
my FTP server. I'm wondering about the data connection port.
Do I need to remove the FTP data service (20) that was originally
configured for Active FTP transfers ?
In the list of services, I see a service called FTP-PASV. Do I have to
allow this service both coming into my FTP server and going out of my FTP
server ?
i.e. should my rulebase look like this ?
Source Destination Service Action
FTPserver Any FTP-Passive Allow
Any FTPserver FTP-PAssive Allow
In Policy - Properties - Services tab - I have the Enable FTP_PORT DAta
Connections and Enable FTP_PASV Data connections options already checked.
Please advise.
Thanks.
RB
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.
www.uk.didata.com
**********************************************************************
------=_NextPart_000_0014_01C15ED8.90CBB260
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si=
ze=3D2>Before=20
trying to do all this 'manually', try selecting the accept FTP PASV connect=
ions=20
tick box in policy properties.</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT face=3DTah=
oma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for disc=
ussion=20
of Firewall-1 [mailto:[email protected]]<B>On=
Behalf Of </B>RBHATIA<BR><B>Sent:</B> 26 October 2001 23:35<BR><B>To:</B=
>=20
[email protected]<BR><B>Subject:</B> [FW-1] He=
lp=20
configuring FTP PAssive mode<BR><BR></FONT></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>I have =
FTP active=20
mode enabled on my firewall. Due to port failure errors I need to switch =
over=20
to FTP PASSIVE transfer mode. I need help configuring FTP Passive mode. I=
've=20
looked all over the Phoneboy.com site but came across pages concerning th=
e=20
difference between Active and Passive mode but nothing about actually ena=
bling=20
Passive mode ftp.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>I alrea=
dy have FTP=20
control Port (21) open both coming in and going out of my FTP server. I'm=
wondering about the data connection port.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Do I ne=
ed to=20
remove the FTP data service (20) that was originally configured for Activ=
e FTP=20
transfers ?</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>In the =
list of=20
services, I see a service called FTP-PASV. Do I have to allow this servic=
e=20
both coming into my FTP server and going out of my FTP server=20
?</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>i.e. sh=
ould my=20
rulebase look like this ?</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2>Source =20
Destination =20
Service =
Action</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2>FTPserver =20
Any &nbs=
p; =20
FTP-Passive Allow</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2>Any &=
nbsp;=20
FTPserver =20
FTP-PAssive Allow</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>In Poli=
cy -=20
Properties - Services tab - I have the Enable FTP_PORT DAta Connections a=
nd=20
Enable FTP_PASV Data connections options already checked.</FONT></SPAN></=
DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Please=
advise.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2>Thanks.</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial=20
size=3D2>RB</FONT></SPAN></DIV></BLOCKQUOTE><CODE><FONT SIZE=3D3><BR>
<BR>
**********************************************************************<BR>
This email and any files transmitted with it are confidential and<BR>
intended solely for the use of the individual or entity to whom they<BR>
are addressed. If you have received this email in error please notify<BR>
the system manager.<BR>
<BR>
This footnote also confirms that this email message has been swept by<BR>
Dimension Data mail system for the presence of computer viruses.<BR>
<BR>
www.uk.didata.com<BR>
**********************************************************************<BR>
</FONT></CODE>
</BODY></HTML>
------=_NextPart_000_0014_01C15ED8.90CBB260--
------------------------------
Date: Sat, 27 Oct 2001 11:14:30 +0100
From: "Tim Holman (home)" <[email protected]>
Subject: Re: [vpn] RE: [FW-1] VPN with OSPF for Failover
What's he doing considering firewall technology if all he needs is an
overlying VPN mesh ?
As long as each node does not require local internet breakout, then they
don't need any firewalls.
VPN-only hardware is far cheaper than anything with the word firewall in it
!
I always thought you could buy an add on OSPF license for Nokia boxes ?
After all, there is a menu option for it under Voyager !
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
Cardona, Alberto
Sent: 26 October 2001 18:13
To: [email protected]
Subject: Re: [FW-1] [vpn] RE: [FW-1] VPN with OSPF for Failover
As for security involving protecting the VPN appliance.
Is safe to assume the Firewall capabilities of the Cisco Router add-on
Firewall package (CBAC) is equivalent to
Check Point FW-1? We are now comparing Firewall to Firewall.
If they are comparable.
Then I should be able to replace my Check Point firewall with a Cisco Router
using its firewall add-on package.
One more thing involving Multicast.
Does the IP stack of a Nokia or Cisco support ip-multicast protected by
IPSec?
I read a document regarding this proposal.
It was called "An IPSec-based Host Architecture for Secure Internet
Multicast"
I guess it is similar to IAB SMuG.
Regards,
AC
-----Original Message-----
From: Stephen Hope [mailto:[email protected]]
Sent: Friday, October 26, 2001 4:10 AM
To: 'Cardona, Alberto'; 'Chris Arnold';
'[email protected] '; [email protected]
Subject: RE: [vpn] RE: [FW-1] VPN with OSPF for Failover
Alberto,
i work as a designer / consultant for a UK reseller of both cisco and nokia
- so i have some bias for this type of project.
1 point - the Nokia running checkpoint does support OSPF.
your friend may be able to extend his VPN to the new site, then interconnect
at the 2 hub point and exchange OSPF routes with the cisco system.
If nothing else this should reduce capital cost and project complexity,
although i think your "all cisco" design could be cheaper in year on year
support charges.
However, the critical bit with a hybrid system is what happens under fault
conditions - the checkpoint topology you describe probably doesnt react
effectively to system faults - you description implies there isnt any
resilience at the moment, whereas a dual centred star type topology can
survive a hub site failure.
If you can make the nokia system reroute around a fault (the major fault to
worry about is failure of a hub site), then the existing VPN will interwork
OK - if you cant resolve that issue then replacement may be the only option.
standing back from this i have 2 comments:
1. If voice transport is an issue, then the requirement MUST be written
down in the project scope for this migration - your friend should be giving
input to that process. Hopefully, if it isnt, there is some broad comment
somewhere about "maintain existing services and performance"
2. This is a classic example of a project which needs to be modelled on
a bench before anyone tinkers with the real network - you are not going to
get clear unambiguous known solutions to this unless you "kick the tires"
before you start.
It is possible that the proposal for cisco replacement is there to give
either a worst case cost model, or a system design which reduces skills,
support costs and so on - if you dont know what is important is setting the
project up, and make sure existing requirements are taken into account, then
this migration is going to be difficult.
Finally, check to see if existing uses have been taken into account - Nokia
is often used as a remote access gateway, and a change to cisco may involve
reworking every RAS client to go from checkpoint VPN client to Cisco......
regards
Stephen
Stephen Hope C. Eng, Network Consultant, [email protected],
Energis UK, WWW: http://www.energis.com
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189
> -----Original Message-----
> From: Cardona, Alberto [mailto:[email protected]]
> Sent: 25 October 2001 16:55
> To: 'Chris Arnold'; '[email protected] ';
> [email protected]
> Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover
>
>
> What I want to do is for my friend's remote vpn sites (10) to
> fail over to
> his secondary VPN HUB.
> Here is his scenario.
>
> He just got acquired by another company.
> His current company relies on a Full blown IPsec VPN mesh
> with a backup
> ISDN.
> He is running Voice over IP thru his IPsec 3DES VPN.
>
> This new company relies on a LARGE Frame network that runs
> OSPF on Cisco's.
> They now want to implement a VPN running OSPF because they use OSPF.
> They installed a frame link from his location (New York) to there
> headquarters (Detroit).
> Now they want to implements a secondary location (Houston) which has a
> internet connection and a frame connection
> back into the headquarters (Detroit).
> They want this secondary location (Houston) to be a backup incase his
> location (New York) fails for his remote sites.
>
> Someone within this new company mentioned that his current
> Nokia/Check Point
> solution won't work with the
> failover design because IPsec can't handle multicast
> broadcast traffic (ex
> OSPF).
> They need to run OSPF for a failover design.
>
> Their solution is to REMOVE all of his Nokia/Check Point and
> implement a
> Cisco Router based VPN design.
> Cisco's 1750 for Remote sites and 7140 for each Hub.
> Each router both remote site and hub will have Cisco's
> firewall/IDS package
> and encryption module
> The Cisco's VPN tunnels are going to be using GRE
> encapsulation for the
> OSPF.
> Incase of a failover to the Secondary HUB and OSPF will
> update the Frame
> network regarding the failover.
> IPsec 3DES for the data encryption.
> This new design is not going to be a MESH but a Hub and Spoke.
>
> His problem with this HUB and SPOKE design is this.
>
> 1). He is afraid because this design relies on a 1 tier
> security design.
> The Cisco's routers will be handling the VPN, Routing Protocols,
> Firewall, and IDS on each router.
> His current design is 2 tier level.
> Cisco for the Internet router and Nokia/Check Point for
> VPN/Firewall
>
> 2). He thinks his Voice over IP will fail between remote
> sites because the
> MESH will be gone.
>
> 3). The performance an the Cisco. Would they be able to
> handle the load?
> Since they will be doing everything. (VPN, Routing, and IDS)
>
> Has anyone implemented this solution?
>
>
>
> AC
>
>
>
> -----Original Message-----
> From: Chris Arnold [mailto:[email protected]]
> Sent: Wednesday, October 24, 2001 10:12 PM
> To: 'Cardona, Alberto ';
> '[email protected] '
> Subject: RE: [FW-1] VPN with OSPF
>
>
> That depends on what you mean by "running site to site IPsec
> VPNs and using
> OSPF." Do you mean tunneling OSPF through an IPSec tunnel
> for some reason
> or using OSPF to route traffic to available VPN endpoints before going
> through a tunnel or on your edge routers once your VPN
> traffic has been
> encapsulated?
>
> Chris
>
> -----Original Message-----
> From: Cardona, Alberto
> To: [email protected]
> Sent: 10/24/01 4:16 PM
> Subject: [FW-1] VPN with OSPF
>
> Is anyone running site to site IPsec VPNs and using OSPF?
> If so did you have to implement GRE?
>
>
> Thanks
>
>
> AC
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> VPN is sponsored by SecurityFocus.com
>
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.
www.uk.didata.com
**********************************************************************
------------------------------
Date: Sat, 27 Oct 2001 14:06:10 UTC
From: Juan Concepcion <[email protected]>
Subject: Re: [vpn] RE: [FW-1] VPN with OSPF for Failover
You don't need to buy an add on license to enable any of the
Configurations for OSPF, you simply have to activate it.
On Sat, 27 Oct 2001 11:14:30 +0100, Stephen Hope
[mailto:[email protected]] wrote:
>What's he doing considering firewall technology if all he needs is an
>overlying VPN mesh ?
>As long as each node does not require local internet breakout, then
they
>don't need any firewalls.
>VPN-only hardware is far cheaper than anything with the word firewall
in it
>!
>I always thought you could buy an add on OSPF license for Nokia boxes
?
>After all, there is a menu option for it under Voyager !
>
>
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]]On Behalf Of
>Cardona, Alberto
>Sent: 26 October 2001 18:13
>To: [email protected]
>Subject: Re: [FW-1] [vpn] RE: [FW-1] VPN with OSPF for Failover
>
>
>As for security involving protecting the VPN appliance.
>Is safe to assume the Firewall capabilities of the Cisco Router add-on
>Firewall package (CBAC) is equivalent to
>Check Point FW-1? We are now comparing Firewall to Firewall.
>If they are comparable.
>Then I should be able to replace my Check Point firewall with a Cisco
Router
>using its firewall add-on package.
>
>One more thing involving Multicast.
>Does the IP stack of a Nokia or Cisco support ip-multicast protected
by
>IPSec?
>I read a document regarding this proposal.
>It was called "An IPSec-based Host Architecture for Secure Internet
>Multicast"
>I guess it is similar to IAB SMuG.
>
>
>
>Regards,
>
>
>AC
>
>-----Original Message-----
>From: Stephen Hope [mailto:[email protected]]
>Sent: Friday, October 26, 2001 4:10 AM
>To: 'Cardona, Alberto'; 'Chris Arnold';
>'[email protected] '; [email protected]
>Subject: RE: [vpn] RE: [FW-1] VPN with OSPF for Failover
>
>
>Alberto,
>
>i work as a designer / consultant for a UK reseller of both cisco and
nokia
>- so i have some bias for this type of project.
>
>1 point - the Nokia running checkpoint does support OSPF.
>
>your friend may be able to extend his VPN to the new site, then
interconnect
>at the 2 hub point and exchange OSPF routes with the cisco system.
>
>If nothing else this should reduce capital cost and project
complexity,
>although i think your "all cisco" design could be cheaper in year on
year
>support charges.
>
>However, the critical bit with a hybrid system is what happens under
fault
>conditions - the checkpoint topology you describe probably doesnt
react
>effectively to system faults - you description implies there isnt any
>resilience at the moment, whereas a dual centred star type topology
can
>survive a hub site failure.
>
>If you can make the nokia system reroute around a fault (the major
fault to
>worry about is failure of a hub site), then the existing VPN will
interwork
>OK - if you cant resolve that issue then replacement may be the only
option.
>
>standing back from this i have 2 comments:
>
>1. If voice transport is an issue, then the requirement MUST be
written
>down in the project scope for this migration - your friend should be
giving
>input to that process. Hopefully, if it isnt, there is some broad
comment
>somewhere about "maintain existing services and performance"
>
>2. This is a classic example of a project which needs to be
modelled on
>a bench before anyone tinkers with the real network - you are not going
to
>get clear unambiguous known solutions to this unless you "kick the
tires"
>before you start.
>
>It is possible that the proposal for cisco replacement is there to
give
>either a worst case cost model, or a system design which reduces
skills,
>support costs and so on - if you dont know what is important is setting
the
>project up, and make sure existing requirements are taken into account,
then
>this migration is going to be difficult.
>
>Finally, check to see if existing uses have been taken into account -
Nokia
>is often used as a remote access gateway, and a change to cisco may
involve
>reworking every RAS client to go from checkpoint VPN client to
Cisco......
>
>regards
>
>Stephen
>
>Stephen Hope C. Eng, Network Consultant, [email protected],
>Energis UK, WWW: http://www.energis.com
>Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
>Tel: +44 (0)Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
>4189
>
>
>> -----Original Message-----
>> From: Cardona, Alberto [mailto:[email protected]]
>> Sent: 25 October 2001 16:55
>> To: 'Chris Arnold'; '[email protected] ';
>> [email protected]
>> Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover
>>
>>
>> What I want to do is for my friend's remote vpn sites (10) to
>> fail over to
>> his secondary VPN HUB.
>> Here is his scenario.
>>
>> He just got acquired by another company.
>> His current company relies on a Full blown IPsec VPN mesh
>> with a backup
>> ISDN.
>> He is running Voice over IP thru his IPsec 3DES VPN.
>>
>> This new company relies on a LARGE Frame network that runs
>> OSPF on Cisco's.
>> They now want to implement a VPN running OSPF because they use OSPF.
>> They installed a frame link from his location (New York) to there
>> headquarters (Detroit).
>> Now they want to implements a secondary location (Houston) which has
a
>> internet connection and a frame connection
>> back into the headquarters (Detroit).
>> They want this secondary location (Houston) to be a backup incase
his
>> location (New York) fails for his remote sites.
>>
>> Someone within this new company mentioned that his current
>> Nokia/Check Point
>> solution won't work with the
>> failover design because IPsec can't handle multicast
>> broadcast traffic (ex
>> OSPF).
>> They need to run OSPF for a failover design.
>>
>> Their solution is to REMOVE all of his Nokia/Check Point and
>> implement a
>> Cisco Router based VPN design.
>> Cisco's 1750 for Remote sites and 7140 for each Hub.
>> Each router both remote site and hub will have Cisco's
>> firewall/IDS package
>> and encryption module
>> The Cisco's VPN tunnels are going to be using GRE
>> encapsulation for the
>> OSPF.
>> Incase of a failover to the Secondary HUB and OSPF will
>> update the Frame
>> network regarding the failover.
>> IPsec 3DES for the data encryption.
>> This new design is not going to be a MESH but a Hub and Spoke.
>>
>> His problem with this HUB and SPOKE design is this.
>>
>> 1). He is afraid because this design relies on a 1 tier
>> security design.
>> The Cisco's routers will be handling the VPN, Routing
Protocols,
>> Firewall, and IDS on each router.
>> His current design is 2 tier level.
>> Cisco for the Internet router and Nokia/Check Point for
>> VPN/Firewall
>>
>> 2). He thinks his Voice over IP will fail between remote
>> sites because the
>> MESH will be gone.
>>
>> 3). The performance an the Cisco. Would they be able to
>> handle the load?
>> Since they will be doing everything. (VPN, Routing, and IDS)
>>
>> Has anyone implemented this solution?
>>
>>
>>
>> AC
>>
>>
>>
>> -----Original Message-----
>> From: Chris Arnold [mailto:[email protected]]
>> Sent: Wednesday, October 24, 2001 10:12 PM
>> To: 'Cardona, Alberto ';
>> '[email protected] '
>> Subject: RE: [FW-1] VPN with OSPF
>>
>>
>> That depends on what you mean by "running site to site IPsec
>> VPNs and using
>> OSPF." Do you mean tunneling OSPF through an IPSec tunnel
>> for some reason
>> or using OSPF to route traffic to available VPN endpoints before
going
>> through a tunnel or on your edge routers once your VPN
>> traffic has been
>> encapsulated?
>>
>> Chris
>>
>> -----Original Message-----
>> From: Cardona, Alberto
>> To: [email protected]
>> Sent: 10/24/01 4:16 PM
>> Subject: [FW-1] VPN with OSPF
>>
>> Is anyone running site to site IPsec VPNs and using OSPF?
>> If so did you have to implement GRE?
>>
>>
>> Thanks
>>
>>
>> AC
>>
>> ===============================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> ===============================================
>>
>> VPN is sponsored by SecurityFocus.com
>>
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>
>
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the system manager.
>
>This footnote also confirms that this email message has been swept by
>Dimension Data mail system for the presence of computer viruses.
>
>www.uk.didata.com
>**********************************************************************
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
------------------------------
Date: Sat, 27 Oct 2001 09:27:26 -0500
From: Jesus Corrales - Soporte de Sistemas <[email protected]>
Subject: messages : /bootpd: Error 0 - in Log
Hi all
Somebody he knows why yourself is appearing this message at my log of the
Sun :
inetd[15079]: execv /usr/sbin/bootpd: Error 0
Thank you
------------------------------
Date: Sat, 27 Oct 2001 14:24:58 -0400
From: Dick Conrad <[email protected]>
Subject: Log entries
Hi:
Our FW-1 log is displaying an increasing number of incoming http
requests that show no destination address, protocol, port, rule, etc. We
are not getting complaints about access to internal servers.
Is this malicious traffic? How do we block it?
Thank you.
Dick Conrad
------------------------------
Date: Sat, 27 Oct 2001 15:54:28 -0400
From: Andy Druda <[email protected]>
Subject: [FW1] FW1 error message
Did anyone ever find any information about this error message?
At 04:11 PM 4/24/01, Peter SoCalGuy wrote:
>Hello All,
>
>I have been getting the following error from my Firewall
>
>fwh323_hdr_analyze header does not start with 03
>
>I have been researching this issue, but I can't seem to find much
>information about it. If anyone has any info regading this message it will
>be greatly appreciated.
>
>Thanks,
>Pete
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
------------------------------
Date: Sat, 27 Oct 2001 19:28:22 -0200
From: Marinho Paiva Duarte <[email protected]>
Subject: Webmail Sites
Hi!!!
I would like to know how may I deny the access to webmail sites in
checkpoint firewall-1?
We use NAT, and about of 70% of the traffic across the firewall is of people
downloading files from
their external e-mails (like hotmail, yahoo...). This is a big problem for
us.
I have a little idea of how it can be done, some people said that is using
URI (??), but I'm not sure.
Does anyone know how to do it??
Thank you.
Marinho Paiva Duarte
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
------------------------------
Date: Sun, 28 Oct 2001 00:37:21 +0300
From: Sezgin Bayrak <[email protected]>
Subject: Problem when rebooting LAN clients
We've installed Checkpoint FW-1 sp2 on NT Server sp6a
with two interfaces.One is the external one and the other
is internal which is assigned as LAN where clients are
located.Everything looks fine about accessing the internet
but there's a strange problem with all clients (both with
hide and static address xlated clients);
After rebooting the clients they can not ping or access the
internet for about 45 seconds even they can ping the internal
interface of FW-1 or any other client in LAN! But then after
sometime they start to access the internet and never get out of
connection again.
This case is exactly the same for every client in internal
network and repeats at every reboot..
Does anyone have any idea about this strange kind of
position?
We'll really appreciate any help.
Thank you
Sezgin Bayrak
Filpark Technologies
[email protected]
------------------------------
Date: Sat, 27 Oct 2001 21:04:40 -0400
From: "Olmstead, Frank M." <[email protected]>
Subject: <No subject given>
Hi all,
I just installed a new instance of FW-1 firewall on a separete PC. Then I
copied my object.c and rulebase.* into the pc. Is there a way to get my
SecureClient user dbase into the new machine ?
Frank
------------------------------
End of FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24)
**********************************************************************
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
![http://www.acmenews.com/images/signature.jpg"](http://www.acmenews.com/images/signature.jpg"){kind=link}