From owner-freebsd-security  Sun Oct  8 22:51:35 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP
	id BDCE337B503; Sun,  8 Oct 2000 22:51:30 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sun, 8 Oct 2000 22:50:11 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e995pPu86287;
	Sun, 8 Oct 2000 22:51:25 -0700 (PDT)
	(envelope-from cjc)
Date: Sun, 8 Oct 2000 22:51:25 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Roman Shterenzon <roman@xpert.com>
Cc: cjclark@alum.mit.edu, freebsd-chat@freebsd.org
Subject: Re: Check Point FW-1
Message-ID: <20001008225125.A25121@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <20001008125715.T25121@149.211.6.64.reflexcom.com> <Pine.LNX.4.10.10010090101210.18821-100000@jamus.xpert.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.10.10010090101210.18821-100000@jamus.xpert.com>; from roman@xpert.com on Mon, Oct 09, 2000 at 01:03:08AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Oct 09, 2000 at 01:03:08AM +0200, Roman Shterenzon wrote:
> On Sun, 8 Oct 2000, Crist J . Clark wrote:
> 
> > On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote:
> > > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote:
> > > > The big cheeses at work want to use check point instead of ipf or any
> > > > other open source solution.
> > > > Can anybody help me with vunerabilities to this so that I can change
> > > > thier minds?
> > > 
> > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT
> > > right; it uses NAT across _all_ interfaces, instead of letting you
> > > pick one.
> > 
> > Right, it determines whether to do NAT by source address, destination
> > address, and destination port. Actually, it is not possible to do
> > _anything_ per interface from the GUI. Wouldn't it be nice (and
> > wouldn't you expect a firewall to be able) to block anything not
> > destined for a small block of registered IPs at the external
> > interface? Well, you can't put a rule to do that in the GUI.
> 
> That's rule 0 - it does antispoofing stuff.
> It's really simple. From the GUI.

It's only simple if you have only a LAN behind the box. If you've got
multiple, non-adjacent logical netblocks routed behind the box, it is
non-trivial to setup the "built-in" antispoofing.

> Now, does it have anything to do with FreeBSD-security?

Not much anymore, redirected to -chat if anyone still cares.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message