From owner-freebsd-security Sat Oct 7 10:33:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from natto.numachi.com (natto.numachi.com [198.175.254.216]) by hub.freebsd.org (Postfix) with SMTP id D781337B503 for ; Sat, 7 Oct 2000 10:33:44 -0700 (PDT) Received: (qmail 54923 invoked by uid 1001); 7 Oct 2000 17:33:04 -0000 Date: Sat, 7 Oct 2000 13:33:04 -0400 From: Brian Reichert To: Craig Cowen Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Check Point FW-1 Message-ID: <20001007133304.B54883@numachi.com> References: <39DEBB51.E51BACFB@allmaui.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39DEBB51.E51BACFB@allmaui.com>; from craig@allmaui.com on Fri, Oct 06, 2000 at 10:57:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > The big cheeses at work want to use check point instead of ipf or any > other open source solution. > Can anybody help me with vunerabilities to this so that I can change > thier minds? I found that Checkpoint 4.0 (this may have changed) doesn't do NAT right; it uses NAT across _all_ interfaces, instead of letting you pick one. This means if you have two internal nets that are connected to the firewall box, the traffic between them seems as if it's coming fro mthe public interface. This can confuse ACLs... (You suppose can Do the Right Thing, but their silly GUI tool imposes a ton of work on you to accomplish it...) > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message