From: Theo van den Beld <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] 4.1 and asymetric routing
Date: Thu, 11 Apr 2002 13:41:07 +0200
There is a way to do it but it is changing the behaviour of the whole
firewall and I would not recommend it.
uncomment the line: #define NON_SYN_RULEBASE_MATCH_LOG in the file
fwui_head.def
Regards,
Theo
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Jörg
Oertel
Sent: Thursday, April 11, 2002 10:19 AM
To: [email protected]
Subject: Re: [FW-1] 4.1 and asymetric routing
Gordon, seems you need to put a router between your LAN, the Firewall
and the VPN appliance.
You're right with the description, why FW-1 drops the SYN-ACK. You can't
get FW-1 to accept SYN-ACKs without seeing the appropriate SYNs before.
"Morrison, Gordon" schrieb:
>
> I am looking at deploying 4.1 on a LAN that has previously had 4.0 and
am
> encountering a difficulty. It appears that FW1 doesn't like the fact
that
> the VPN appliance dumps packets directly onto the LAN without passing
them
> through the firewall first. (The firewall is the default gateway for
the
> LAN). What seems to be happening is that a user in a remote office will
> make a request to a server in the office with the 4.1 firewall, sending
> their SYN. When the server responds with a SYN-ACK to it's default
gateway
> (the 4.1 firewall), the firewall doesn't like the fact that it didn't
see
> the SYN first and drops the packet. In 4.0 this didn't seem to be a
> problem.
>
> My question is: Is there any way to get 4.1 to behave this way as well?
I
> have tried modifying the fw_head.def file per the phoneboy web site to
no
> avail.
>
> My other options are to set the VPN appliance as the default gateway or
put
> it on a separate subnet with the firewall as it's default gateway....or
any
> other creative thoughts people might have...
>
> Thanks,
> /Gordon
Mit freundlichen Grüßen/Kind regards
Jörg
--
Joerg Oertel Tel:02225/8820
MOSAIC SOFTWARE AG Fax:02225/882201
Feldstraße 8 e-mail:[email protected]
53340 Meckenheim www.mosaic-ag.com
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
