Date: Mon, 9 Oct 2000 01:03:08 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: cjclark@alum.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: Check Point FW-1 Message-ID: <Pine.LNX.4.10.10010090101210.18821-100000@jamus.xpert.com> In-Reply-To: <20001008125715.T25121@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Oct 2000, Crist J . Clark wrote: > On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote: > > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > > > The big cheeses at work want to use check point instead of ipf or any > > > other open source solution. > > > Can anybody help me with vunerabilities to this so that I can change > > > thier minds? > > > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT > > right; it uses NAT across _all_ interfaces, instead of letting you > > pick one. > > Right, it determines whether to do NAT by source address, destination > address, and destination port. Actually, it is not possible to do > _anything_ per interface from the GUI. Wouldn't it be nice (and > wouldn't you expect a firewall to be able) to block anything not > destined for a small block of registered IPs at the external > interface? Well, you can't put a rule to do that in the GUI. That's rule 0 - it does antispoofing stuff. It's really simple. From the GUI. Now, does it have anything to do with FreeBSD-security? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.10010090101210.18821-100000>