Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Need help with static destination NAT on Linux

To: [email protected]
Subject: [FW-1] Need help with static destination NAT on Linux
From: Imre Kertesz <[email protected]>
Date: Wed, 20 Mar 2002 20:26:48 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Folks,

I have FW-1 4.1 SP3 on Mandrake Linux with a supertweaked 2.2.X kernel
(all the unnecessary stuff removed, security patches applied). This
firewall serves as an external gateway. It has two interfaces: one
facing the public and one in a DMZ. I would like to establish static
destination NAT so that the public can access a web server that resides
in the DMZ. I have several valid, static IP addresses; one of which is
assigned to the external interface of the firewall and others that I
would like to use with static destination NAT.

My problem is that I have been unable to successfully implement this. I
have done this successfully with Solaris and NT but the same rules
established by Checkpoint (in their security courseware) do not apply to

Linux.  For example: I  have been unable to get the external interface
of the firewall to respond to an IP address other than its primary,
using the recommended arp implementation. I can set a new arp entry for
the new IP and existing MAC entry but Linux simply wont respond to arp
calls for it. Rather, I have to compile alias support into the kernel
and configure multihoming (eth0:0) to get the interface to respond to
other addresses. Also, the static routes that need to be set do not seem

to work properly and it's hard to dertermine where the breakdown is
occurring.

Regarding the FW-1 configuration, the static NAT rules and policies are
all set, per Checkpoint's step-by-step recommendations. I just cant
determine where the breakdown is occurring.

I can provide more detailed information if requested. If anyone has had
success with this configuration, please reply.

Thanks - IK

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] TCP Timeout
Next by Date: [FW-1] Questions about IKE VPN setup/FW objects on Nokia w/ GW clusters
Previous by thread: Re: [FW-1] TCP Timeout
Next by thread: Re: [FW-1] Need help with static destination NAT on Linux
Index(es):
- Date
- Thread