The correct choice depends on administrators knowledge level on
different operating systems.
If you don't have any Linux/*BSD specialists on board (who will also
commit to keep system up to date) I would recommend to choose some small
hardware based firewall solution. Price will be quite
From: ext Dave Crocker [mailto:[EMAIL PROTECTED]]
Too late. Things are already confused, namely about the technical
distinction between bridge and router.
Not really, You think that Sonicwall is a router and I know that it's
not.
However I made a mistake by stating that it is bridge, I
There are some additional benefits of Transparent Bridge comparing to
routing firewall:
1. Firewall can be completely transparent. Only way to know that device
even exists is to have devices on both sides of the firewall and port
scanning through firewall (or by physically checking this fact)
2.
From: ext Dave Crocker [mailto:[EMAIL PROTECTED]]
At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote:
Well, first thing to understand is that Sonicwall is
transparent bridge
not a router.
The Sonicwall Soho (not 2) that I have had for a couple of years is a
router. It also does NAT and
In a way yes,
You will have to get information somehow to the sniffer's network
interface. It is possible to define network devices to forward network
traffic to some interface for this purpose. And you can also fool
network components by for instance arp table poisoning to send traffic
to
Well, first thing to understand is that Sonicwall is transparent bridge
not a router.
This means that you will have to think differently with Sonicwall when
you are making your routing considerations. Sonicwall is capable of
generating ICMP redirect messages which is somehow called routing but
That is normal behaviour in FW-1.
You should try to reduce MTU of the client. Another reason might be
routing but I doubt it.
Server end is probably filtering ICMP as someone said earlier.
rgds,
Harri
-Original Message-
From: ext Laura Folden [mailto:[EMAIL PROTECTED]]
Sent: 08
The ICMP type 3 code 1 is host unreachable. And the entry is referring to
one packet only (with information about earlier packet)
So it seems that somehow your machine is trying to connect 10.0.0.150 (Don't
fragment bit set, UDP traffic with incomplete header) and it gets host
unreachable from
Title: RE: An obvious mystery to me... VLAN trunking on firewall
Solaris QFE and GE drivers also supports trunking by using Sun Trunking
software.
However it's not supported in all Firewalls.
rgds,
Harri
-Original Message-From: ext Scheidel, Greg
(Contractor) [mailto:[EMAIL
I didn't quite understand.
Don't fragment is a bit in IP header which tells routers that the packet
should not be fragmented. And this is passed along with the ip-packet.
But there is fragmentation needed and DF set ICMP message type 3 code 4
which is a response to packet which is too large to
Raptor supports LDAP. However usually running other software on Firewall is
considered as security breach. And Raptor tends to make this a bit more
difficult than other Firewall's because it has Vulture feature which kills
any unknown processes. Of course this feature can be configured.
I haven't been working with Raptor's latest release so much but here are my
2 pences.
First you should consider if you want to have statefull inspection or proxy
firewall? If you have answer to this question ready you have allready made
your choice.
The next question would be about the required
Aaron,
If you need some clarification to NAT's effect to security you should also
tell as the firewall type. Packet filter firewalls have sometimes problems
with spoofing when you are using NAT.
However it is usually good idea to put publicly accessable servers to DMZ
and use real-ip's:
pros
1.
There aren't any reason not to upgrade to newest version. If I recall 515
doesn't need (and is not possible to) any memory upgrades for upgrade but
you should check this.
There shouldn't be problems with the old configuration but it depends what
you have in it. There are some glitches of
Some companies have security policies which require at least two firewalls
in serial.. Usually the other one should be statefull inspection type and
the other one proxy.
Usually raptor is the external and checkpoint internal (Primarily
because fw1 is a bit faster than raptor and someones think
Have
you defined Gateway Cluster object to FW-1's policy?
Is
traffic allowed to Gateway Cluster IP?
Do you
have at least FW 4.1sp3?
Have
you edited Objects.c to force using Gateway Cluster IP as source address for
tunnel?
rgds,
Harri
-Original Message-From: ext Daniel
In principle, You should allow TCP 53 too.
TCP is used for queries which are more than 512bytes.. Which usually are
zone transfers but might not be.
rgds,
Harri
-Original Message-
From: ext Hiemstra, Brenno [mailto:[EMAIL PROTECTED]]
Sent: 05 December, 2001 16:05
To: 'Rick Brown';
It really depends on the implementation.
I think that Cisco uses port 80 by default for NAT transparency.
Then for example Checkpoint FW-1 uses UDP 2746.
And I think that newest rfc-draft I saw was to use ISAKMP (udp 500) for this
one too.
However encapsulation isn't enough. You will have to
18 matches
Mail list logo
