The last place I worked at had 5 sites with T1 Internet access at three of
the sites. The sites were also connected to each other with private lines.
I used default routes to get people back to the firewall at the appropriate
sites. The nice thing about it is that if you use a Proxy that does not
handle ICMP (like MS's) your users can still ping or trace-route to Internet
hosts without realizing it is going directly out instead of through a proxy.
Your life will be much simpler if you do it this way and you will be secure
with everyone hidden behind one address.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Kevin
> Sent: Wednesday, December 23, 1998 9:22 AM
> To: 'Joe Ippolito'; Martin, Kevin
> Cc: 'FW Digest'; 'fw-1-mailinglist'; 'Ming Lu'
> Subject: RE: Something I'd like to see in FW1.
>
>
> Don't talk about poor design unless you understand the full scope of the
> problem and the politics involved. All of our inside routers DO share
> their routing tables: does this mean that they should all know to
> default route anything that is not in the routing tables to the same
> router? Are you saying that for our international sites they should
> have to use OUR firewall as their default route to the Internet? The
> routing stuff was all done at a time when there was NO Internet access
> and, up until this time, there have been no reasons to set the firewall
> as the default router. We are discussing these issues at this time but
> up until now the policy has been to NOT set the default route to the
> firewall.
>
> Kevin Martin
> Bank of America - CRT
> Firewall/Network Admin.
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Joe Ippolito [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, December 23, 1998 12:37 AM
> To: Martin, Kevin
> Cc: 'FW Digest'; 'fw-1-mailinglist'; 'Ming Lu'
> Subject: RE: Something I'd like to see in FW1.
>
>
> I beg to differ with your difference. All inside routers should be
> allowed
> to share their routing tables with each other using EIGRP, OSPF or some
> other modern routing protocol with a default route to the inside of the
> firewall. That is as far as any internal routing information should
> travel.
> With the hide translation no outside host should have access to anything
> on
> your internal network -routing information, DNS, etc, etc. All hosts
> that
> require outside hosts to initiate communication with them should be
> placed
> on a separate firewalled network commonly referred to as a "DMZ". The
> internal hosts can have full access to DMZ hosts but DMZ hosts should
> not be
> allowed to initiate anything with internal hosts. After all, how much
> does
> one more network interface cost?
>
> Just do it right and you won't have to worry about Check Point or any
> other
> firewall vendor compensating for your poor design.
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Kevin
> > Sent: Monday, December 21, 1998 8:14 AM
> > To: 'Ming Lu'
> > Cc: 'FW Digest'; 'fw-1-mailinglist'
> > Subject: RE: Something I'd like to see in FW1.
> >
> >
> > Ming,
> >
> > I beg to differ. I see no reason that a company w/ 100's ( possibly
> > 1000's ) of routers w/in a network should be REQUIRED to use the
> > firewall as their default route and then have to maintain a bunch of
> > static routes! It would be some much easier to correct the firewall
> > s'ware than to maintain the routing tables on all of these routers.
> I'm
> > sure that any big customers ( and many smaller customers ) of
> Checkpoint
> > would agree.
> >
> > Kevin Martin
> > Bank of America - CRT
> > Firewall/Network Admin.
> > [EMAIL PROTECTED]
> >
> >
> > -----Original Message-----
> > From: Ming Lu [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, December 20, 1998 8:27 PM
> > To: Martin, Kevin
> > Cc: 'FW Digest'; 'fw-1-mailinglist'
> > Subject: Re: Something I'd like to see in FW1.
> >
> >
> >
> > It has nothing to do wih FW1! It is routing problem. get your routing
> > problem resolved (on the FW box) and you will be fine.
> >
> > _ming
> >
> > On Thu, 17 Dec 1998, Martin, Kevin stated:
> >
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > > -
> > > Don't know if anyone else has this issue, but here goes and here's a
> > > very short wish list.
> > >
> > > Because of the way that we do out networking, we don't setup our
> > > internal routers to default to the FW1 firewall. As such, we've run
> > > into the problem where we've got http(s) servers inside the firewall
> > > that need to be accessible from the Internet. This leads to a
> pretty
> > > serious problem involving routing and having to Address Translate
> the
> > > Internet coming in. We've setup a BUNCH of objects to represent the
> > > Internet and are, thus far, having reasonable success with it. We
> > have,
> > > however, run into some problems where we neglected to split out the
> > > Internet objects far enough and have run into some overlaps. This
> is
> > > our problem and now, here's what I would like to see Checkpoint do:
> > >
> > > Just as they've given us the ability in our rule set to NEGATE an
> > object
> > > ( thus allowing us to say : Source - NOT "Internal networks" Dest:
> > any
> > > blah blah blah ) they should give us the same ability to negate in
> the
> > > Address Translation rules ( thus allowing us to translate any NOT
> > > INTERNAL NETWORKS coming in to the inside behind a HIDE translation
> > ).
> > > What are all of your thoughts on this?
> > >
> > > Oh, one other thing that I'd like to see: show not only the rule
> > that
> > > allows/drops/etc. a packet but, if there's ANY translation, show the
> > > rule that did the translation as well in the logs.
> > >
> > > Kevin Martin
> > > NationsBanc - CRT
> > > SMTP Postmaster/DNS/FIREWALL/UNIX/NT System Admin.
> > > [EMAIL PROTECTED]
> > >
> >
> >
> ========================================================================
> > ====
> > Ming Lu Email:
> > [EMAIL PROTECTED]
> > Sr. Network Engineer Phone:
> 703-689-5290
> > (w)
> > IP Engineering
> 703-855-4194
> > (m)
> > Global One Telecommunications, LLT.
> 703-689-6575
> > (f)
> >
> ========================================================================
> > ====
> > "Do not pay attention to every word people say, or you may hear your
> > servant cursing you ---- for you know in your heart that many times
> you
> > yourself have cursed others."
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
