[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] CheckPoint FireWall-1 allows routing loop
SGreetings! While unraveling a prior undetected routing loop ("did work before we split that firewall into two physical machines") I found that CheckPoint Firewall-1 allows answer-packets exiting via a different interface than the request came in (tested on the old version 4.1 SP4 - but quite probably works on every other version, too). CheckPoint's support (Track#, very fast response, thanks guys) confirmed that the connections table do not keep track of which interface the packet comes in or leaves the firewall except for anti-spoofing rules. Routing is not done in their software, so this is not a bug in their software. Then let's call it an unexpected behaviour for a firewall that is not documented well enough. Thus noted here again: CheckPoint FireWall-1 does not prevent or detect routing loops if done on the firewall machine. Workaround and solution: implement a proper/clean routing table, check proper routing by traffic analysis (packet trace) - CheckPoint FireWall-1 won't prevent you from configuring an IP routing stupidity... Bye Volker Tanger ITK-Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|