|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] 4.1 and asymetric routing
You could add a route to the firewall for that network pointing to the vpn device or add the route to workstation or server if there is only one or two of them. Lloyd Young x4766 IT Security Administrator -----Original Message----- From: James Schnack [mailto:[email protected]] Sent: Thursday, April 11, 2002 06:39 PM To: [email protected] Subject: Re: [FW-1] 4.1 and asymetric routing I would DEFINATELY NOT consider that as an option. That would mean that the FW would not stop non-SYN incoming packets not related to any known sessions, therefore making your inside network vulnerable to attacks. Just my opinion... James >From: Theo van den Beld <[email protected]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] 4.1 and asymetric routing >Date: Thu, 11 Apr 2002 13:41:07 +0200 > >There is a way to do it but it is changing the behaviour of the whole >firewall and I would not recommend it. > >uncomment the line: #define NON_SYN_RULEBASE_MATCH_LOG in the file >fwui_head.def > >Regards, > >Theo > > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]]On Behalf Of Jörg >Oertel >Sent: Thursday, April 11, 2002 10:19 AM >To: [email protected] >Subject: Re: [FW-1] 4.1 and asymetric routing > > >Gordon, seems you need to put a router between your LAN, the Firewall >and the VPN appliance. >You're right with the description, why FW-1 drops the SYN-ACK. You can't >get FW-1 to accept SYN-ACKs without seeing the appropriate SYNs before. > > >"Morrison, Gordon" schrieb: > > > > I am looking at deploying 4.1 on a LAN that has previously had 4.0 and >am > > encountering a difficulty. It appears that FW1 doesn't like the fact >that > > the VPN appliance dumps packets directly onto the LAN without passing >them > > through the firewall first. (The firewall is the default gateway for >the > > LAN). What seems to be happening is that a user in a remote office will > > make a request to a server in the office with the 4.1 firewall, sending > > their SYN. When the server responds with a SYN-ACK to it's default >gateway > > (the 4.1 firewall), the firewall doesn't like the fact that it didn't >see > > the SYN first and drops the packet. In 4.0 this didn't seem to be a > > problem. > > > > My question is: Is there any way to get 4.1 to behave this way as well? >I > > have tried modifying the fw_head.def file per the phoneboy web site to >no > > avail. > > > > My other options are to set the VPN appliance as the default gateway or >put > > it on a separate subnet with the firewall as it's default gateway....or >any > > other creative thoughts people might have... > > > > Thanks, > > /Gordon > > >Mit freundlichen Grüßen/Kind regards >Jörg > >-- >Joerg Oertel Tel:02225/8820 >MOSAIC SOFTWARE AG Fax:02225/882201 >Feldstraße 8 e-mail:[email protected] >53340 Meckenheim www.mosaic-ag.com > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
