From owner-freebsd-security  Sun Oct  8 16: 3:17 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17])
	by hub.freebsd.org (Postfix) with ESMTP id B891F37B66C
	for <freebsd-security@freebsd.org>; Sun,  8 Oct 2000 16:03:13 -0700 (PDT)
Received: from roman (helo=localhost)
	by jamus.xpert.com with local-esmtp (Exim 3.12 #5)
	id 13iPTI-0004u0-00; Mon, 09 Oct 2000 01:03:08 +0200
Date: Mon, 9 Oct 2000 01:03:08 +0200 (IST)
From: Roman Shterenzon <roman@xpert.com>
To: cjclark@alum.mit.edu
Cc: freebsd-security@freebsd.org
Subject: Re: Check Point FW-1
In-Reply-To: <20001008125715.T25121@149.211.6.64.reflexcom.com>
Message-ID: <Pine.LNX.4.10.10010090101210.18821-100000@jamus.xpert.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 8 Oct 2000, Crist J . Clark wrote:

> On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote:
> > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote:
> > > The big cheeses at work want to use check point instead of ipf or any
> > > other open source solution.
> > > Can anybody help me with vunerabilities to this so that I can change
> > > thier minds?
> > 
> > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT
> > right; it uses NAT across _all_ interfaces, instead of letting you
> > pick one.
> 
> Right, it determines whether to do NAT by source address, destination
> address, and destination port. Actually, it is not possible to do
> _anything_ per interface from the GUI. Wouldn't it be nice (and
> wouldn't you expect a firewall to be able) to block anything not
> destined for a small block of registered IPs at the external
> interface? Well, you can't put a rule to do that in the GUI.

That's rule 0 - it does antispoofing stuff.
It's really simple. From the GUI.
Now, does it have anything to do with FreeBSD-security?

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message