|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Check Point FW-1
From: Crist J . Clark (cjclark
reflexnet.net)Date: Sun Oct 08 2000 - 14:57:15 CDT
- Next message: Crist J . Clark: "Re: Check Point FW-1"
- Previous message: Wes Peters: "Re: Check Point FW-1"
- In reply to: Brian Reichert: "Re: Check Point FW-1"
- Next in thread: Roman Shterenzon: "Re: Check Point FW-1"
- Reply: Crist J . Clark: "Re: Check Point FW-1"
- Reply: Roman Shterenzon: "Re: Check Point FW-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote:
> On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote:
> > The big cheeses at work want to use check point instead of ipf or any
> > other open source solution.
> > Can anybody help me with vunerabilities to this so that I can change
> > thier minds?
>
> I found that Checkpoint 4.0 (this may have changed) doesn't do NAT
> right; it uses NAT across _all_ interfaces, instead of letting you
> pick one.
Right, it determines whether to do NAT by source address, destination
address, and destination port. Actually, it is not possible to do
_anything_ per interface from the GUI. Wouldn't it be nice (and
wouldn't you expect a firewall to be able) to block anything not
destined for a small block of registered IPs at the external
interface? Well, you can't put a rule to do that in the GUI.
> This means if you have two internal nets that are connected to the
> firewall box, the traffic between them seems as if it's coming fro
> mthe public interface. This can confuse ACLs...
Yep, you end up writing extra rules to make the NAT work by the source
and destination addresses if you stick to the GUI alone.
> (You suppose can Do the Right Thing, but their silly GUI tool
> imposes a ton of work on you to accomplish it...)
Exactly, another reason for the I Hate GUIs attitude. People,
including several people in this thread, say how neat-o the FW-1 GUI
is. However, if you want to do anything serious with the firewall, you
need to hack the scripts the GUI generates (the GUI generates scripts
which are what is read by the actual firewall daemons, called
"INSPECT" scripts or something?). It ends up that you need to either
write really contorted (and typically less secure) rules to simulate a
rule on an interface or you need to hack the scripts manually (you
_can_ specify per interface rules in the scripts).
Don't get me started on the GUI log viewer.
-- Crist J. Clark cjclarkTo Unsubscribe: send mail to majordomo
- Next message: Crist J . Clark: "Re: Check Point FW-1"
- Previous message: Wes Peters: "Re: Check Point FW-1"
- In reply to: Brian Reichert: "Re: Check Point FW-1"
- Next in thread: Roman Shterenzon: "Re: Check Point FW-1"
- Reply: Crist J . Clark: "Re: Check Point FW-1"
- Reply: Roman Shterenzon: "Re: Check Point FW-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]