[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Need help with static destination NAT on Linux
Folks, I have FW-1 4.1 SP3 on Mandrake Linux with a supertweaked 2.2.X kernel (all the unnecessary stuff removed, security patches applied). This firewall serves as an external gateway. It has two interfaces: one facing the public and one in a DMZ. I would like to establish static destination NAT so that the public can access a web server that resides in the DMZ. I have several valid, static IP addresses; one of which is assigned to the external interface of the firewall and others that I would like to use with static destination NAT. My problem is that I have been unable to successfully implement this. I have done this successfully with Solaris and NT but the same rules established by Checkpoint (in their security courseware) do not apply to Linux. For example: I have been unable to get the external interface of the firewall to respond to an IP address other than its primary, using the recommended arp implementation. I can set a new arp entry for the new IP and existing MAC entry but Linux simply wont respond to arp calls for it. Rather, I have to compile alias support into the kernel and configure multihoming (eth0:0) to get the interface to respond to other addresses. Also, the static routes that need to be set do not seem to work properly and it's hard to dertermine where the breakdown is occurring. Regarding the FW-1 configuration, the static NAT rules and policies are all set, per Checkpoint's step-by-step recommendations. I just cant determine where the breakdown is occurring. I can provide more detailed information if requested. If anyone has had success with this configuration, please reply. Thanks - IK ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|