|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] 4.1 and asymmetric routing
Thanks, that is what was recommended from the phoneboy website, but seemed to have no impact.In neither case has SYN attack protection been enabled either (to eliminate it from the equation). I didn't know if there was some other setting I was missing out on.... Thanks again, Gordon -----Original Message----- From: Theo van den Beld [mailto:[email protected]] Sent: Thursday, April 11, 2002 7:41 AM To: [email protected] Subject: Re: [FW-1] 4.1 and asymetric routing There is a way to do it but it is changing the behaviour of the whole firewall and I would not recommend it. uncomment the line: #define NON_SYN_RULEBASE_MATCH_LOG in the file fwui_head.def Regards, Theo -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Jörg Oertel Sent: Thursday, April 11, 2002 10:19 AM To: [email protected] Subject: Re: [FW-1] 4.1 and asymetric routing Gordon, seems you need to put a router between your LAN, the Firewall and the VPN appliance. You're right with the description, why FW-1 drops the SYN-ACK. You can't get FW-1 to accept SYN-ACKs without seeing the appropriate SYNs before. "Morrison, Gordon" schrieb: > > I am looking at deploying 4.1 on a LAN that has previously had 4.0 and am > encountering a difficulty. It appears that FW1 doesn't like the fact that > the VPN appliance dumps packets directly onto the LAN without passing them > through the firewall first. (The firewall is the default gateway for the > LAN). What seems to be happening is that a user in a remote office will > make a request to a server in the office with the 4.1 firewall, sending > their SYN. When the server responds with a SYN-ACK to it's default gateway > (the 4.1 firewall), the firewall doesn't like the fact that it didn't see > the SYN first and drops the packet. In 4.0 this didn't seem to be a > problem. > > My question is: Is there any way to get 4.1 to behave this way as well? I > have tried modifying the fw_head.def file per the phoneboy web site to no > avail. > > My other options are to set the VPN appliance as the default gateway or put > it on a separate subnet with the firewall as it's default gateway....or any > other creative thoughts people might have... > > Thanks, > /Gordon Mit freundlichen Grüßen/Kind regards Jörg -- Joerg Oertel Tel:02225/8820 MOSAIC SOFTWARE AG Fax:02225/882201 Feldstraße 8 e-mail:[email protected] 53340 Meckenheim www.mosaic-ag.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ___________________NOTICE____________________________ This electronic mail transmission contains confidential information intended only for the person(s) named. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you received this transmission in error, please notify the sender by reply e-mail and then destroy the message. Opinions, conclusions, and other information in this message that do not relate to the official business of Bain & Company shall be understood to be neither given nor endorsed by the Company. When addressed to Bain clients, any information contained in this e-mail is subject to the terms and conditions in the governing client contract. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
