Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Strange routing problems with FW1 running

To: [email protected]
Subject: [FW-1] Strange routing problems with FW1 running
From: Chris Moore <[email protected]>
Date: Wed, 30 Jan 2002 12:34:02 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hello!

I have been trying to nail down a routing issue for some time, but I'm still
having difficulty.  The problem appears only with FW1 running...routing is
fine when stopped.  Here is my setup (addresses faked for security):

ISP block:  200.200.200.32/27
I divided into 2 subnets:  200.200.200.32/28   and   200.200.200.48/28
DMZ net:  200.200.200.48/28   with mail relay at 200.200.200.50/28
FW IP:  200.200.200.46/28
default gw:  200.200.200.33
Internal mail server:  192.168.1.10/24
Static route on router:  200.200.200.48/28 --> 200.200.200.46 (fw)
3 IP interfaces on FW:
   200.200.200.46/28 (ext if)   spoof track:  Others
   200.200.200.49/28 (dmz net)  spoof track:  This net
   192.168.1.0/24 (int net)   spoof track: Specific (Valid-addresses)

Hope this paints an initial picture.  Here is my issue.
With the above setup, everything works fine!  The most important is the
relaying between the mail servers.  The internal mail server only forwards
all messages to the mail relay and the mail relay receives and sends to the
Internet and receives or sends to the internal mail server.  HOWEVER, I am
switching ISP's.  So, to make things simple, I just transpose all addresses
to fit the new IP block.  So far so good.  Without FW1 running, all routing
works as expected, BUT, when I start FW1, almost all packets (TCP) to the
mail relay (for SMTP) drop on Rule 0 ("unknown established TCP connection")
and the internal mail server cannot establish a 2-way connection to the mail
relay.  I can ping it ok, but SMTP just hangs as if waiting for a SYN ACK or
something.  As soon as I stop the firewall, all traffic flows normally. (By
the way, I do have to stop FW1 from controlling IP forwarding to do this.)

I would expect this to be a spoof tracking problem, but with the exact same
configuration, why would it work with the previous ISP block??  Is there an
ARP cache problem somewhere that is clinging to the previous IP addresses?

I don't agree with other messages in the group stating that Rule 0 drops are
normal and you should just turn off the logging...in my case it shows there
is a major problem somewhere.

I would like to get into a dialogue to discuss this problem, online or
offline, please.

Thanks for any help in advance!!

-Chris

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Strange routing problems with FW1 running
  - From: Patrick Lotti <[email protected]>

Prev by Date: [FW-1] Netbios NAT Issue (bug?) in NG
Next by Date: Re: [FW-1] Netbios NAT Issue (bug?) in NG
Previous by thread: Re: [FW-1] Strange routing problems with FW1 running
Next by thread: Re: [FW-1] Strange routing problems with FW1 running
Index(es):
- Date
- Thread