Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] IPSO 330 routing redirect question

To: [email protected]
Subject: Re: [FW-1] IPSO 330 routing redirect question
From: Dan Hitchcock <[email protected]>
Date: Wed, 3 Apr 2002 10:15:53 -0800
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] IPSO 330 routing redirect question

Two possible solutions:

- Block the icmp-redirect messages (e.g. source (fw) -- dst (any) -- service (redirect) -- action (drop) ), such that the firewall continues to route the traffic, and build corresponding rule(s) on the firewall to allow the traffic.

- Use the router as the clients' default gateway (this is a more common solution).

Relying on icmp-redirects to maintain traffic flow through your internetwork is generally not considered a best practice.

Hope that helps -

Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at dhitchcock (at) breakwatersecurity (dot) com

-----Original Message-----
From: Scott Friedman [mailto:[email protected]]
Sent: Wednesday, April 03, 2002 8:26 AM
To: [email protected]
Subject: [FW-1] IPSO 330 routing redirect question

Here in our office we have an IPSO 330 running Checkpoint FW-1 4.1

We have static routes that route you from one point inside our network
to another internal network over another router..

When LAN 1 sends a packet destined for LAN 2 and the Firewall is the
default gateway, the firewall
sends out an ICMP redirect to the sending workstation telling it that
in order to get to Network 2 it needs to
send it's packets through the cisco router.

The problem we're having is using NetBIOS for this.. the Netbios
packets won't get redirected because it doesn't get the route update. if
we PING first, then it gets the route update, and the Netbios packets go
through.

Anyone experience this with either NetBIOS (or UDP in general perhaps)
not getting ICMP redirect route updates?

Thanks

Scott J. Friedman, MCSE CCSE CCNA
Security & Cisco Routing Engineer
LDMI / Ideal Technology Solutions, U.S.
Email : [email protected]
Phone :
www.itsusnow.com
www.ldmi.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] VP-1 to M$ tunnel?
Next by Date: Re: [FW-1] VP-1 to M$ tunnel?
Previous by thread: [FW-1] IPSO 330 routing redirect question
Next by thread: [FW-1] VP-1 to M$ tunnel?
Index(es):
- Date
- Thread