internal routing
i'm a novice, at best and i've never been through any training for any of
this, only what i've learned here, other places, and worked out on my own.
i've also shared this sketch with others on the list from time to time who
have found it useful. if someone knows a better way,
Hi,
For a homebanking solution we want to provide to our clients, we need to
get ftp on different ports through our firewall. I've read the phoneboy
FAQ about this and it seems great. There's one thing that's not quite
clear to me:
Can I get this to work in addition to "normal" ftp?
I need to
- Original Message -
From:
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, June 13, 2000 8:48
PM
Subject: RE: [FW1] SP 5 installation
problem
The
-132 is more than likely a locked file issue. I posted this earlier. The SP
What does FW-1 one do when it cannot handle the bandwidth? Does it revert
to the installation option of IP Forwarding?
A) Control IP forwarding and drop overload
B) Do not control and forward the overloaded data
Has anyone seen what happens when you get to this point?
Cheers
Rob Purdy
Hi
Just a quick comment:-
I heard a CCSI say that CP's 'official' stance was NOT to use SYN Defender
- because of known problems (!) - and only use it when you think
you are being attacked.
Tim Higgins
All,
Thank you very much for your support. After a few
testing here is what I found. It is a bit long, but
worse looking at it.
I have some pictures explaining the following and some
simple traces for about 100K in a zip file if you are
interested.
Let me know,
I am running 2 checkpoint FW1
Is there any reason why I can't apply some of the security tightening
procedures Microsoft recommends for an IIS server in
http://www.microsoft.com/technet/security/iischk.asp to my NT4 firewall-1
server?
I've looked at one or two NT firewall lockdown documents but they don't
mention topics such
I might be asking an obvious question but I'm running FW-1 on my NT4 server,
why shouldn't I put MS Proxy (or other) server onto the same box? What am I
risking?
I can't afford expensive software / hardware at the moment but I'm looking
to generate management reports on web access by user /
Hi all,
has anyone setup a vpn between FW-1 CP 2000 and netopia S9500.
Is it possible or definitely not?
Is there somewhere a How to ... ?
regards and thanks
Michael
===
edv beratung werlich
IP Lösungen für Netzwerke
Michael Werlich
Tel. + 49 7551-91 52
I have tried to find, by looking at the documentation I have, how to
prioritize certain users over others for web access. We have one group,
because of there business "importance" are requiring priority when accessing
the web over other users within the company. I am using Check Point 4.0. I
Actually, there are very good articles written by Cisco's Halibi,
if i am not mistaken. if you search Cisco / 3com site i think
you can get the implementation details of BGP4, getting your sites ASN
number from ARIN, setting up the 2 routers in HA via HSRP and heartbeat link,
and connecting
Hi there,
I thought to be not that faraway having FW-1 running on Linux. But now I´m
stuck with real tricky problem.
My scenario looks like that:
I-I
I PC I supposed to be the Internet
I-I
192.168.1.131
255.255.255.240
192.168.1.131 (Default GW)
I
That is a good paper to look at. I can also offer assistance in how this is
done, because I have done it a few times. just email me directly, if I can
help answer any questions.
-Original Message-
From: payal rewri [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 14, 2000 6:54 AM
To:
Frederic NAKHLE wrote:
I'm ok. But it's maybe possible to block it with realsecure and opsec
configuration and block the source ip by example.
Can you give me your opinion.
Two major problems with this.
First of all, RealSecure is currently only capable of detecting a
particular type of
Hi Fadjar,
thanx for your fast reply.
I. add the arp in your firewall like this:
arp -a 192.168.1.140 .. (MAC address of Firewall External
Interface) you can use arp.bat to make simple
I already tried this but it changed nothing.
II. add the static arp to your PC (router)
I am trying to use LDAP for user authentication. According to the phonboy doc's
I need and ASN1 number that is supposed to be in the Firewall doc.
I can't find it can somebody point me in the right direction, please.
Paul
Greetings Gurus, I'm trying to ferret out the functionality of the Policy
Server in 4.1. I understand that it works with Secure Client and pushes the
policy as defined in the "Desktop Security" Tab of the Policy/Properties
screen out to the Secure Client machine upon authentication. I can
Hello all,
I have a question. I have a new firewall that I am installing (or trying
to) to be fw1 2000, which from phoneboy (thank you!) I know should be build
41489. When I followed the install directions from the checkpoint docs I
find I am at build 41439, vanilla 4.1. I can see that
On Wed, 14 Jun 2000, Rossi, Marco wrote:
arp -a 192.168.1.140 .. (MAC address of Firewall External
Interface) you can use arp.bat to make simple
Try:
arp -a 192.168.1.140 .. pub
This will do a "proxy" arp that your carriers router will see (and any
other device
Anyone know what this port is used for?
14:55:31 drop qfe3 proto tcp src 192.168.33.105 dst 168.144.1.24
service 90 s_port 4342 len 44 rule 227
___
Michael Pires
Security Analyst
We use our FW 4.0 server as a proxy, meaning all browser clients have internal
IP of FW set as their proxy address. No caching. Yes, this works but i dont
recommend it. We are changing our config. This proxy config (along with NO NAT)
is causing many problems when connecting to certain
On Wed, 14 Jun 2000, Chambers, Steven wrote:
Surely Realsecure can detect the attack and reconfigure the Fw using opsec.
That's what we plan do to.
Steven, I hope you don't mind, but I have taken the liberty
of replying to both you and the FW-1 list group.
There are two major flaws in
What if you create a virtual interface on the internal DB server with the
External IP?
Setup the listener.ora file to listen on both the internal IP interface and
external IP interface.
Connections should only go to the internal IP interface; and the listener
should be able to
handle that.
By
(Embedded
image moved
to file:
pic23182.pcx)
dnsix90/tcpDNSIX Securit Attribute Token Map
dnsix90/udpDNSIX Securit Attribute Token Map
From http://www.wittys.com/files/all-ip-numbers.txt :
### PORT 90 also being used unofficially by Pointcast #
dnsix90/tcpDNSIX Securit Attribute Token Map
dnsix90/udpDNSIX Securit Attribute Token Map
# Charles Watt [EMAIL
Hi People,
Does anyone out there with own a Class C Address that they have subnetted
down to four networks that run firewall1 on an NT box. If so I would like to
hear from you.
The problem I have is any web site is the same first two octet the same as
ours we cannot get to, apart from those
Hello Robert,
Are you using RIP
No. Just static routes.
Are you using the basic routing that comes with NT4
Yes
(as opposed to the "better" router that's part
of RRAS)
Is RRAS safe to use w/ Checkpoint? I could find no word on it one way or
the other so I just stuck with the basic NT
Hi All,
We currently have a 32 block of IPs from our ISP.
We needed more, so the ISP assigned us another
32 IPs from a different network:
Current would be 10.0.0.32 - 255.255.255.224
added would be 192.168.0.32 - 255.255.255.224
Our current FW config says the External IF is
10.0.0.33
How
I have a question on what the items are under the FWZ properties of
FireWall-1. Mainly the items that are under consideration are as follows:
-Under the Key Manager tab: Exponent and Modulus
-Under the DH tab: Key
Let's also assume the following:
Under the Diffie-Hellman scheme, there are
I have the following networks/interfaces
1-external interface (real IP)
2-DMZ Public (real IP)
3-DMZ Private (real IP)
4-Internal Network (10.0.0.0)
I am using 'hide' for all address on the 4 network but these are getting
translated on the DMZ's also.
How can I move the translation to
You will need a route on your firewall that states all traffic destined to
the dmz network goes through the dmz interface. The problem may lie in where
you are using real IP address space for your private DMZ network, if that is
the case you will need to re-evaluate the private addressing of
Try putting in a manual nat rule that says:
Internal_Nets Internal_Nets Any ||
Original OriginalAny
Where Internal_Nets is a group containing the networks on ports 2,3, and 4.
Dan
At 10:27 AM 6/14/00 -0600, [EMAIL PROTECTED] wrote:
I have the following
Can anyone tell me if VPN clients are free? if not,approximately what do they
run for?
THanks,
Mike
To unsubscribe from this mailing list, please see the instructions at
Does anyone have any comments on the Nokia High Availability Solutions?
I'm looking to upgrade our Internet access firewall with either Nokia
650's
or 440's in a HA configuration, and wondering is the price uplift for
the 650's
(3x) worth the cost?
=
Mark R.
Unless you need hot-swapable interface cards you are fine with IP440. I have
two pairs of IP440 and one pair of IP650 all configured in HA using
Monitored VRRP. I would go for IP440 and spend the extras on a good
intrusion detection server.
siddika
-Original Message-
From: Mark
I have a pair of IP650's. I'd say unless your running more then a T1 it's over kill.
We are using about 8 VRRP's right now and headed toward duel T1's. Seems to be idle
most of the time but our management would have never let us upgrade so we went big
right off the line.
ANyone know if Secure Remote Client version 4.1 will work properly with a 4.1
firewall?
THanks,
Mike
To unsubscribe from this mailing list, please see the instructions at
Title: Oracle Web Application
My client just installed an Oracle web application on a web server in the DMZ. The web server needs to connect to the Oracle DB server on the internal network. The developer said that the app will communicate on ports 1521 and 1526. I added the rule to allow the
What is the
feasibility of running FW1 and Floodgate on the same machine. This is for
a small network, under 20 connections. Currently, the FW box is a Pentium
Pro 233 with 128 Megs ram. It's averaging about 5% CPU utilization, and
we'd like to get some more use out of the box.
Any
This is relevant only because my FW-1 logs show me this problem, but
someone on this list must know the answer. I am trying to get in touch
with someone at bt.net (apparently in England) to get them to stop scanning
my address space (currently on scan number 4), or maybe someone is spoofing
Hello all,
I am looking for a solution to authenticate my securemote client on to my
NT domain. Can anyone tell me what is the way to implement this.
Daniel Kieng
Sr. Network Security Engineer
PlatinumNetworks
4501-B Forbes Blvd.
Lanham, MD 20706
Toll Free:877.429.3349
Corp HQ:
Securemote (VPN) is a good idea, but not always possible. Another solutions
is to have them use their ISPs mailserver to send mail. For instance if
they are dialing into aol, have them use the aol mailserver for outgoing
email. Another option is to install a web email package (outlook for the
Seeing as you are only worried about http/https/ftp...
Suggest you install ms proxy server (or CSM proxy) and point all users on TS
to go via it.
On MSP you can allow only certain NT groups or people access to each
protocol.
The logs out of MSP also log the username
The authentication is
Do this to a spoofed address, and you may violate your
ISP's AUP and find yourself cut off from service. Do
this to a compromised system, and you may not actually
get the compromise resolved. Contacting the upstream
ISP usually does the trick, as long as the ISP cares.
Steve
John Stevenson
Does anyone know of a way to have the CVP scanner you are using located
outside the firewall's protected domain? The reason behind this is due
to the desired nature of my network configuration. (See Below)
remote lan ==FW-1 (VPN)== INTERNET == FW-1 (VPN) == hq lan
||
||
DMZ (CVP scanner)
I
Yes, and yes.
Dan Hitchcock
MCSE, CCNA
Network Engineer
HomeStreet Bank
206.389.4467
[EMAIL PROTECTED]
-Original Message-
From: Michael Louie [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 14, 2000 11:59 AM
To: [EMAIL PROTECTED]
Subject: [FW1] Secure Remote Client version
RADIUS is a popular solution. FW1 supports it natively, and with CP2000,
you can even use it to authenticate 3DES connections via SecuRemote.
Steel-Belted RADIUS was solid in my testing of it, although a bit expensive
and overkill for what we needed. The RADIUS server on the NT4 option pack
we host over 300 web sites within a firewall protected area.
Does anyone have any feelings / thoughts on not allowing icmp/trace route
traffic
through to these sites and only allowing http/https traffic
Cheers
Justin Derry
Hi,
I just can't make SecuRemote work with our firewall. I have read many FAQs
and recipes about SecuRemote to no avail.
I start SecuRemote, define a site, get the key exchange dialog, but when trying
to download a security policy (or trying a telnet if security policy is
disabled), I always
Hi zinc
I think the rule applying may be different than what
you expect.Pls check other rules.
Tika
--- zinc zdj [EMAIL PROTECTED] wrote:
Hi everybody,
This is my first rule rule:
any firewall nbdatagram drop
nbsession
nbname
The problem is that it
Hi,
I've added secuRemote 4.0 for FW-1 4.0.But the
encryption features where it is applicable is not
activated and encrypt and client encrypt in services
are also grey.That's why I think secuRemote is not
enabled. I think I'd made some mistake or I need to
add some think else.
OS: NT4.0
I don't thing so.
The better way is to put an access list for all icmp inside your "exterior router",
(I mean the router between your fw and you internet connection).
I also tested this attack and the solution from checkpoint ( fw ctl debug -buf )
work but my cpu still loaded for 5 to 10 % for
52 matches
Mail list logo
