NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] CheckPoint FireWall-1 allows routing loop



SGreetings!

While unraveling a prior undetected routing loop ("did work before we
split that firewall into two physical machines") I found that CheckPoint
Firewall-1 allows answer-packets exiting via a different interface than
the request came in (tested on the old version 4.1 SP4 - but quite
probably works on every other version, too).

CheckPoint's support (Track#, very fast response, thanks
guys) confirmed that the connections table do not keep track of which
interface the packet comes in or leaves the firewall except for
anti-spoofing rules. Routing is not done in their software, so this is
not a bug in their software.

Then let's call it an unexpected behaviour for a firewall that is not
documented well enough. Thus noted here again:

        CheckPoint FireWall-1 does not prevent or detect
        routing loops if done on the firewall machine.


Workaround and solution: implement a proper/clean routing table, check
proper routing by traffic analysis (packet trace) - CheckPoint
FireWall-1 won't prevent you from configuring an IP routing stupidity...


Bye

Volker Tanger
ITK-Security

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.