fw-1 general & VPN questions

[AC <ac0 () io com>]

Hi folks,

        Currently I am involved in a project which requires that
I set up a central fw-1 mgmt station, to manage 2 fw-1 (on 
solaris 2.5.1) boxen via an encrypted VPN over the internet.
I also intend to do some "out-of-band" mgmt with a dialin
modem on the serial console of the two sun boxes (yes, yes,
wardialers I know). However, this is what the customer wants,
and I have no say-so, so I need to simply get it set up.

A couple general questions about fw-1:

1) Does fw-1 actually *break* the client/server model? Application
   gateways like FWTK actually will generate an entirely new packet
   from the OS IP stack to to handle communication between 
   clients and & external servers. This is a more secure setup,
   IMHO. So, does fw-1 actually *forward* IP packets to 
   internal clients after checking its ruleset? Can I turn this
   off i.e. (ndd /dev/ip stuff?) and the fw-1 still work?

2) Does fw-1 handle fragmented packets correctly? i.e. does it
   handle the reassembly or does the OS IP stack?

3) Concerning NAT: client has a T1 to Net, fw-1-A, and also
   a private point-to-point T1 connection to another company,
   with fw-1-B sitting there. Both fw-1s are doing NAT. 
   Now if an internal client has his default route pointing
   to the internal interface of the fw-1-A, and he wants to
   talk to somebody on the Net, packet hits fw-1-A, internal
   IP gets translated, and out it goes. BUT, if that same
   clients wants to talk to a machine on the other side of
   fw-1-B, he cannot, as his IP has been translated to an 
   external (public) address, and can't get back in. SO
   I have been forced to segregate clients who can talk
   to the internet via fw-1-A, and clients that can 
   talk to other_company via fw-1-B. Is there any way to
   solve this problem nicely? BY putting in appropriate
   routes, I think I can get this to work, but the fw-1-A will
   be putting this packet out on the wire twice, and
   I have to turn on ip forwarding. 

Ok, now a couple VPN-specific questions: I

1) I am going to use DES instead of the proprietary FWZ 
   encryption for the fw-1->fw-1 connection. Any patches 
   or anything I need to know about? Also the licenses
   that I require to make this whole VPN setup work 
   are extremely confusing, checkpoint is as bad as 
   microsoft, nickel and diming you the whole way.
   If anybody knows what licenses I need on the central
   mgmt station, as well as the managed firewalls, I'd
   appreciate it.

2) Which TCP/UDP ports do the "firewall control connections"
   use?
        a) If this is a known port or range of ports, is it
           not possible to launch a denial-of-service 
           against a fw-1 being managed by a VPN over the
           INternet? i.e. simply flood those ports on 
           fw-1, and boom, the mgmt station cant talk to
           the firewall its trying to manage.
        b) On the 2 fw-1s to be managed, I am being forced
           to use the GUI interface, as I don't get INSPECT
           yet. Now if I check the box "enable firewall-1
           control connections" how/where do I specify
           a list of IPs to accept control connections
           from? or do I install a new rule in the rulebase
           for this? I certainly hope that Joe Random
           Hacker cant manage my firewalls remotely!

Thanks you for your time and any light you can shed is
greatly appreciated. If you are in NYC, I'll owe you 
a brew ;)

--ANindya