Firewall Wizards mailing list archives
Re: FW1 nat/arp problems
From: cbrenton <cbrenton () sover net>
Date: Wed, 10 Feb 1999 15:39:15 -0500 (EST)
On Wed, 10 Feb 1999, Dennis Edmonds wrote:
I have went through this particular FW1 setup several times myself, and had a CheckPoint support technician go over the setup as well. I am positive (as much as anyone can be anyway) that the rules, local.arp (yes it is a WinNT box,)
local.arp in a word, sucks. It's not Checkpoint's fault. They are doing their best to work around the deficiencies of the base OS (ARP _is_ a layer two thing after all). With that said, try doing a: fw tab This will dump a bunch of hex info, a portion of which should be all your local.arp entries. If they are not there, FW-1 does not know enough to respond to the ARP request. You can check out: http://www.geek-speak.net for some help with dealing with ARP issues.
The only unique thing about this network is that the public and private networks are divided by using VLANS on a Bay Networks switch.
This should not effect the above config as you are responding with a valid MAC address which is seen by the switch. MY only caution here however is that you could be leaving your network open to attack. Switch vendors are still coming up to speed on security related issues and many are still vulnerable to a number of DoS attacks. I've also seen one person use fragmented UDP traffic (no I will not tell you how, use your imagination ;) to trick the switch into thinking traffic was originating from another VLAN thus allowing the attacker to generate a console session. If an attacker can get to your switch, your firewall is completely useless. Good luck, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- FW1 nat/arp problems Dennis Edmonds (Feb 10)
- Re: FW1 nat/arp problems cbrenton (Feb 10)