<rant>
CVP is a born-broken protocol, one that seems nice on paper but appears
unusable
after some thinking...
I also do no understand why FW uses its own address to forward the message
instead of
using the original one, which would be more coherent with the tranparent ip
filtering aproach.
Is it that hard to dynamically add a NAT rule, send the message, then
delete the rule?
<tnar>
For smtp, the right approach is a mail relay that supports anti-virus
checking (I think mimesweeper
takes this approach).
For anti-relay, this should be done sufficiently soon. once a message is in
your network, it's hard
to decide for the correct rules.
now that you're in, try to make the FW address "untrusted" by your final
MTA, so that it refuses
relaying messages coming from.
regards,
mouss
At 09:04 10/10/00 -0600, Einhorn, Drew wrote:
>My boss recently hired some folks to come in and upgrade our Checkpoint FW-1
>system to 4.1, including migration from an x86 Solaris box to NT 4.0, with
>expanded the licensing, they also added a box running Norton Antivirus for
>Firewalls 1.5.
>
>Since then I have been attempting to repair the damage they did.
>
>Our remaining problems:
>
> The installation broke our configuration to prevent our systems from
>being used as a SPAM Relay. We were abused lots of SPAM was forwarded
>through our systems.
>
> Something is choking on moderate sized attachments. The limit appears
>to be somewhere between 500KB and 1MB.
>
>If we disable the rule that diverts incoming smtp traffic and sends it to
>the NAV box, everything works just fine. Except we don't scan the incoming
>mail for viruses.
>
>I believe both problems are being caused by the mail proxy that Checkpoint
>installs on the Firewall-1 box with traffic is diverted to NAV.
>
>The limit on attachment size could be the NAV box. It's hard to tell which
>box is causing the problem.
>
>After the NAV box checks the mail for malicious attachments it returns the
>message to the firewall, the firewall sends the message on it's to the
>"normal" internal mail server. But the ip source address for the smtp
>packets is now the ip address of the firewall internal interface. It is no
>longer the ip address of the external mail server. This breaks the antispam
>configuration of the internal mail server.
>
>Has anyone gotten Checkpoint FW-1 to successfully work with an external mail
>virus checker?
>
>My boss wants to switch from Norton to McAfee, but I think it's a Checkpoint
>problem, that probably won't go away.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
