Hi folks, Currently I am involved in a project which requires that I set up a central fw-1 mgmt station, to manage 2 fw-1 (on solaris 2.5.1) boxen via an encrypted VPN over the internet. I also intend to do some "out-of-band" mgmt with a dialin modem on the serial console of the two sun boxes (yes, yes, wardialers I know). However, this is what the customer wants, and I have no say-so, so I need to simply get it set up. A couple general questions about fw-1: 1) Does fw-1 actually *break* the client/server model? Application gateways like FWTK actually will generate an entirely new packet from the OS IP stack to to handle communication between clients and & external servers. This is a more secure setup, IMHO. So, does fw-1 actually *forward* IP packets to internal clients after checking its ruleset? Can I turn this off i.e. (ndd /dev/ip stuff?) and the fw-1 still work? 2) Does fw-1 handle fragmented packets correctly? i.e. does it handle the reassembly or does the OS IP stack? 3) Concerning NAT: client has a T1 to Net, fw-1-A, and also a private point-to-point T1 connection to another company, with fw-1-B sitting there. Both fw-1s are doing NAT. Now if an internal client has his default route pointing to the internal interface of the fw-1-A, and he wants to talk to somebody on the Net, packet hits fw-1-A, internal IP gets translated, and out it goes. BUT, if that same clients wants to talk to a machine on the other side of fw-1-B, he cannot, as his IP has been translated to an external (public) address, and can't get back in. SO I have been forced to segregate clients who can talk to the internet via fw-1-A, and clients that can talk to other_company via fw-1-B. Is there any way to solve this problem nicely? BY putting in appropriate routes, I think I can get this to work, but the fw-1-A will be putting this packet out on the wire twice, and I have to turn on ip forwarding. Ok, now a couple VPN-specific questions: I 1) I am going to use DES instead of the proprietary FWZ encryption for the fw-1->fw-1 connection. Any patches or anything I need to know about? Also the licenses that I require to make this whole VPN setup work are extremely confusing, checkpoint is as bad as microsoft, nickel and diming you the whole way. If anybody knows what licenses I need on the central mgmt station, as well as the managed firewalls, I'd appreciate it. 2) Which TCP/UDP ports do the "firewall control connections" use? a) If this is a known port or range of ports, is it not possible to launch a denial-of-service against a fw-1 being managed by a VPN over the INternet? i.e. simply flood those ports on fw-1, and boom, the mgmt station cant talk to the firewall its trying to manage. b) On the 2 fw-1s to be managed, I am being forced to use the GUI interface, as I don't get INSPECT yet. Now if I check the box "enable firewall-1 control connections" how/where do I specify a list of IPs to accept control connections from? or do I install a new rule in the rulebase for this? I certainly hope that Joe Random Hacker cant manage my firewalls remotely! Thanks you for your time and any light you can shed is greatly appreciated. If you are in NYC, I'll owe you a brew ;) --ANindya
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:36 PDT