I agree, I have not noticed this in the one-to-one NAT scenario you have. In the situations I am talking about, the most obvious difference is the source port of packets coming from protected hosts is changed. Each host sharing an address seems to get a different source port. Of course this is not specific to checkpoint. Im sorry I don't have the article you request, I don't have access to checkpoint support. I doubt they have useful information on this subject anyway. More useful is this nmap fingerprint which works for me a good deal of the time. It's included in recent versions of nmap: # Contributed by william.froggeat_private Fingerprint NT Server 4.0 SP4-SP5 running Checkpoint Firewall-1 TSeq(Class=TD%gcd=<8%SI=<154) T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T4(Resp=N) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=N) PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E) At Tue, 15 May 2001 16:37:03 -0500, Frank Knobbe <FKnobbeat_private> wrote: >> -----Original Message----- >> From: railwayclubposseat_private >> [mailto:railwayclubposseat_private] >> Sent: Tuesday, May 15, 2001 10:49 AM >> >> You get the same results if the default Checkpoint ports are >> closed. You >> still need to find one or two open ports, but they don't have >> to be on the >> firewall itself. The giveaway is in how the headers are >> rewritten for one- >> to-many NAT. > > >Uhm... I'm confused. I assume you mean ports of statically natted >machines. I connect from the Internet through the FW-1 to a host >behind behind it. That is a one-to-one NAT. What is rewritten in the >headers that would identify the screening fw as a FW-1 machine? I >mean IP addresses are obviously changed. What other header >information (i.e. flags, options) are changed in the packet coming >form the host? I understand that I should expect a certain option set >in a response packet (depending on OS and my request packet), I >understand the process, I'm not question this. Just would like to >know what is reset/changed in the TCP or UDP packet. (Let's ignore >ICMP). Point me to an article or FAQ please. > >Regards, >Frank > >-----BEGIN PGP SIGNATURE----- >Version: PGP Personal Privacy 6.5.8 >Comment: PGP or S/MIME encrypted email preferred. > >iQA/AwUBOwGhf5ytSsEygtEFEQIvsACgoTtMFV/4RxlUGwGFKpzMVkGXkDMAmgMa >jgNg9+TBLNivSvLJZFdJHhex >=K0ok >-----END PGP SIGNATURE----- > Free, encrypted, secure Web-based email at www.hushmail.com IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 08:23:54 PDT