From owner-freebsd-security Sun Oct 8 12:57:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 30FCD37B503 for ; Sun, 8 Oct 2000 12:57:21 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 8 Oct 2000 12:56:01 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e98JvFU83205; Sun, 8 Oct 2000 12:57:15 -0700 (PDT) (envelope-from cjc) Date: Sun, 8 Oct 2000 12:57:15 -0700 From: "Crist J . Clark" To: Brian Reichert Cc: Craig Cowen , "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001008125715.T25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <39DEBB51.E51BACFB@allmaui.com> <20001007133304.B54883@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001007133304.B54883@numachi.com>; from reichert@numachi.com on Sat, Oct 07, 2000 at 01:33:04PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote: > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > > The big cheeses at work want to use check point instead of ipf or any > > other open source solution. > > Can anybody help me with vunerabilities to this so that I can change > > thier minds? > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT > right; it uses NAT across _all_ interfaces, instead of letting you > pick one. Right, it determines whether to do NAT by source address, destination address, and destination port. Actually, it is not possible to do _anything_ per interface from the GUI. Wouldn't it be nice (and wouldn't you expect a firewall to be able) to block anything not destined for a small block of registered IPs at the external interface? Well, you can't put a rule to do that in the GUI. > This means if you have two internal nets that are connected to the > firewall box, the traffic between them seems as if it's coming fro > mthe public interface. This can confuse ACLs... Yep, you end up writing extra rules to make the NAT work by the source and destination addresses if you stick to the GUI alone. > (You suppose can Do the Right Thing, but their silly GUI tool > imposes a ton of work on you to accomplish it...) Exactly, another reason for the I Hate GUIs attitude. People, including several people in this thread, say how neat-o the FW-1 GUI is. However, if you want to do anything serious with the firewall, you need to hack the scripts the GUI generates (the GUI generates scripts which are what is read by the actual firewall daemons, called "INSPECT" scripts or something?). It ends up that you need to either write really contorted (and typically less secure) rules to simulate a rule on an interface or you need to hack the scripts manually (you _can_ specify per interface rules in the scripts). Don't get me started on the GUI log viewer. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message