Re: Inbound NAT with FW-1

["TC Wolsey" <twolsey () realtech com>]

> Todd Mera <tmera () pacbell net> 01/14/00 10:39AM >>>
> I have a checkpoint firewall (FW-1 v4.0) running on NT4 with service pack 4.
> I setup the persistent routes and the network objects on the internal and
> external side of my network.  I am trying to get the firewall to reroute
> (remap) mail and web traffic to my internal machines.  The internal network
> objects have NAT selected.  My users can get out but no mail comes in even
> after setting up the rules.  What's up?
>
> Rupert the Monkey Boy

I ran into this one the other day myself. If the FW-1 docs are to be trusted (hint- they aren't) than you should not 
have to define an object with the external address of the mail and web server and add it to the list of valid addresses 
for the mail/web interfaces. (At least when you use the automatic NAT features). My experience is that sometimes you 
do, sometimes you do not. Capture the traffic on the outside interface and see if you get TCP RSTs for the traffic 
inbound to the mail/web servers. If you do (policy permitting) disable anti-spoofing on the FW-1 object interfaces and 
see if the problem disappears. If so, you have banged your head against the same wall that I did recently. If not, 
sorry for wasting your time. 

The most disturbing part of all this is that while I had the action set to log in the anti-spoofing property page I 
never saw a Rule 0 log entry for the RST connections. Anybody know if anti-spoofing is logged/alerted when the packet 
is actually picked up off the wire but not when the packet is switched b/w interfaces? I do not think that this 
behavior would allow scanning of inside addresses without logging (at least not without significant inside knowledge) 
but I have not really thought about all the implications of this. 

A question for the list while I am on the subject of FW-1. Does anybody know why the 'Allow outbound connections' 
property has to be set on FW-1/NT for the fw to pass any traffic? In my experience this property has the advertised 
effect on the Solaris platform but will stop all traffic dead in the water if not enabled on the NT platform. (With no 
logging, ICMP or TCP notification - just a gaping black hole) Does the fw module handle all IP forwarding through 
itself (which allows the control of forwarding) and forwarded packets are seen by the fw module as sourced by the local 
machine? That is the only behavior that I can think of that makes sense in light of what my experience with FW-1 has 
been. 

Regards,

--tcw