In some mail from Ryan Russell, sie said: > > >The first 25 packets were lost before the interface's initialization. The > >packets with sequence number greater than 34 are droped from the firewall. > >What about the packets with sequence number 25-34? Is it possible that > >someone can use this time (after the interface's initialization and before > >the firewall's initialization) to do something bad? > > Absolutely. There is a period of time while the FW is booting when the > OS is up, but the FW software is not. FW-1 makes no attempt to hook > the IP stack in such a way to prevent this. You MUST secure the > underlying OS ON YOUR OWN. FW-1 does NOT "harden" the OS.. I think you missed the point here...if the interfaces are UP, then it's likely to be forwarding packets *through* the box...I don't know if the NT version of FW-1 has a control ip forwarding option as does the Solaris one, but it should. (THe poster didn't say if packets got through or if they even tested that). Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:00 PDT