I prefer sonicWALL over Netsreen, SonciWALL is a little more expensive, but the GUI interface and the remote capability for managing multiple SonicWALLs abroad using SonciWALLS Global management Software make it a breeze to manage, update patches, update virus definitions, and setting up VPN tunnels, this of course is only my opinion even though we are mostly a Cisco shop but have about 45 SonicWALL's out there and only 1 netsreen.
Mark Bombara Vice President of Information Technology CyBerJazSM Email: <mailto:[EMAIL PROTECTED]> (724) 857-8083 Phone (412) 922-2000 Phone (724) 857-8093 Fax <http://www.cyberjaz.net> Internet, Network and eBusiness Solutions Microsoft, Cisco and Citrix Technology Specialists -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 02, 2002 3:01 PM To: [EMAIL PROTECTED] Subject: Firewalls digest, Vol 1 #569 - 5 msgs Send Firewalls mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Firewalls digest..." Today's Topics: 1. RE: Why netscreen instead of say sonicwall (Hudson Delbert J Contr 61 CS/SCBN) 2. RE: Why netscreen instead of say sonicwall (Hudson Delbert J Contr 61 CS/SCBN) 3. Re: Your Message Sent on Fri, 1 Mar 2002 11:44:07 -0800 (Valerie Anne Bubb) 4. Re: Your Message Sent on Fri, 1 Mar 2002 11:44:07 -0800 (Gary Ferrer) 5. Re: issues with pf (Daniel Hartmeier) --__--__-- Message: 1 From: Hudson Delbert J Contr 61 CS/SCBN <[EMAIL PROTECTED]> To: "'Ben Keeley'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: RE: Why netscreen instead of say sonicwall Date: Fri, 1 Mar 2002 12:49:47 -0800 i certainly cant. -----Original Message----- From: Ben Keeley [mailto:[EMAIL PROTECTED]] Sent: Friday, March 01, 2002 4:27 AM To: [EMAIL PROTECTED] Subject: Why netscreen instead of say sonicwall Hi, Just a quick question... i've been reading the board for a number of months. And i've noticed that netscreen seems to be recommended above say than sonicwall or watchguard. Could somebody explain why netscreen is that much better? Thank you _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 2 From: Hudson Delbert J Contr 61 CS/SCBN <[EMAIL PROTECTED]> To: "'Clark, Steve'" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: Why netscreen instead of say sonicwall Date: Fri, 1 Mar 2002 12:49:17 -0800 you mean crash and burn sonic wall...spurious reboots... okay, if you say so... piranha... -----Original Message----- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, March 01, 2002 5:34 AM To: '[EMAIL PROTECTED]' Subject: RE: Why netscreen instead of say sonicwall I don't think you pay more for the name. Some people really like the Sonicwall - have heard on other lists that they wish the other vendors = would use their interface. Go figure :) Steve Clark Clark Systems Support, LLC AVIEN Charter Member "Who's watching your network?" www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax =A0 The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged = information and shall not be disclosed or used for the benefit of others without the = prior written permission of Clark Systems Support, LLC. -----Original Message----- From: Ben Keeley [mailto:[EMAIL PROTECTED]]=20 Sent: Friday, March 01, 2002 8:24 AM To: Clark, Steve Cc: [EMAIL PROTECTED] Subject: RE: Why netscreen instead of say sonicwall Thanks steve! How about =A3 for =A3 are they comparable or do you pay more for the = name? Could i ask what you've heard about sonicwalls? kind regards Ben -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Clark, Steve Sent: 01 March 2002 13:01 To: '[EMAIL PROTECTED]' Subject: RE: Why netscreen instead of say sonicwall >From my experience, the Netscreens are much better than Watchguards. = The support is better, they are easier to use and I've heard nothing on vulnerabilities (with the exception of a misconfigured trusted = interface). I originally decided to sell/ support/ install Watchguard's in all the = offices I manage. Purchased the SOHO unit, called support to discuss some of = the finer points of how to jam the thing into my offices (guinea pig). They = were miserable to talk to. Before they would talk to me, I had to register = the unit - of course, they could not register the unit as there was a = problem with the database. That went on for 2 weeks. After all was said and = done, I returned the unit as the interface was a mess. Since then, I have installed about 2 dozen of them in small offices/ = home offices where I concentrate my practice and it's a breeze. The VPN is a = few clicks, the policies are easy to configure and the unit acts as it = should. The several times I have had to call support, I've had 1 instance where = the person had no idea what he was doing. To this day I regret selling my Watchguard to someone as I know they = are having problems with it. I've offered $$ back and to sell the Netscreen = but they won't go for it. This has been my experience and recommendations from other companies = that sell/ support firewalls. (Was that ok piranah? :) ) Steve Clark Clark Systems Support, LLC AVIEN Charter Member "Who's watching your network?" www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax =A0 The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged = information and shall not be disclosed or used for the benefit of others without the = prior written permission of Clark Systems Support, LLC. -----Original Message----- From: Ben Keeley [mailto:[EMAIL PROTECTED]] Sent: Friday, March 01, 2002 7:27 AM To: [EMAIL PROTECTED] Subject: Why netscreen instead of say sonicwall Hi, Just a quick question... i've been reading the board for a number of = months. And i've noticed that netscreen seems to be recommended above say than sonicwall or watchguard. Could somebody explain why netscreen is that = much better? Thank you _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 3 Date: Fri, 1 Mar 2002 14:32:13 -0800 (PST) From: Valerie Anne Bubb <[EMAIL PROTECTED]> Reply-To: Valerie Anne Bubb <[EMAIL PROTECTED]> Subject: Re: Your Message Sent on Fri, 1 Mar 2002 11:44:07 -0800 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] >From: "Gary Ferrer" <[EMAIL PROTECTED]> > >I am using NAT on the screen. Here's the rule: > >1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet" > >These are my addresses: > >"gary" HOST 192.168.0.4 COMMENT "Garys PC" >"Internet" GROUP { "*" } { "iprb1.net" } >"iprb1.net" RANGE 192.168.0.1 192.168.0.10 >"publicIP" GROUP { "localhost" } { "sunbox" } >"sunbox" HOST 192.168.0.5 Ok, from this I can see that you are sharing your firewall's external IP with the entire network. Are you using DHCP? >DNS can resolve www.myweb&firewall.com from www.myweb&firewall.com but not >from internal clients (requests times out but does come up with the correct >IP). Snoop on the internal NIC of the firewall reports a DNS request from >the client and responds with the correct IP: > >gary -> ns2wh.vc.shawcable.net DNS C www.myweb&firewall.com. Internet Addr ? >ns2wh.vc.shawcable.net -> gary DNS R www.myweb&firewall.com. >Internet Addr good.xxx.xxx.xxx >gary -> hxx-xx-xx-x ICMP Echo request (ID: 256 Sequence number: 1280) So, in this snoop, I assume that good.xxx.xxx.xxx is your public IP Is good.xxx.xxx.xxx actually the IP configured on your external interface? Or are you being virtually hosted by your ISP? what is "hxx-xx-xx-x"? (are you trying to ping www.myweb&firewall.com ?) >>and how your >> doing a mapping from www.myweb&firewall.com to http://webserver&firewall. > >www.myweb&firewall.com and webserver&firewall are the same machine so I >dont' know how I would map to it's self. I thought the /etc/hosts table was >enough for that? I just wasn't sure if "www.myweb&firewall.com" and "webserver&firewall" resided on the same interface (via virtual interfaces/NAT) or one was your external interface, and the other internal? Now, my guess as to why this is not working: Your NAT rule includes the IPaddr for "www.myweb&firewall.com" in the Destination (Internet): 1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet" "Internet" GROUP { "*" } { "iprb1.net" } "iprb1.net" RANGE 192.168.0.1 192.168.0.10 So, the firewall is trying to NAT "gary" to www.myweb&firewall.com & at the same time trying to connect to www.myweb&firewall.com, and it gets lost somewhere in the networking stack. Try changing your definition of "Internet" to additionally exclude your firewall: "Internet" GROUP { "*" } { "iprb1.net" "localhost" } > My rules seem a bit open, I do need to restrict them however I'm not exactly > bright. The easiest, basic, restriction is to just limit the flow of traffic so it's only open going out, and only allow http to your webserver in. So, rules like: "common" "iprb1.net" "*" ALLOW "www" * "publicIP" ALLOW hth Valerie -- [EMAIL PROTECTED] [EMAIL PROTECTED] --__--__-- Message: 4 Reply-To: "Gary Ferrer" <[EMAIL PROTECTED]> From: "Gary Ferrer" <[EMAIL PROTECTED]> To: "Valerie Anne Bubb" <[EMAIL PROTECTED]> Cc: "Firewall list" <[EMAIL PROTECTED]> Subject: Re: Your Message Sent on Fri, 1 Mar 2002 11:44:07 -0800 Date: Fri, 1 Mar 2002 22:31:03 -0800 Yes, I am using DHCP (Shaw@home network). Yes, good.xxx.xxx.xxx is my external DHCP address configured on the external interface via DHCP (I supose I should just print it but I thought that may be a security risk posting it on the net - stupid me). That hxx.xx.xx.x is actually the hostname the DHCP server gives to solaris. I have a script to rewrite it to a proper name 'ferrer.yi.org' so when I do 'hostname' I get ferrer.yi.org. I'm using a DNS service from yi.org (free!). >I just wasn't sure if "www.myweb&firewall.com" and "webserver&firewall" >resided on the same interface (via virtual interfaces/NAT) or one was >your external interface, and the other internal? Humm, I didn't think of that but webserver&firewall (which I call sunbox internally) should only answer on the internal interface because it's non routable and not a valid canonical name. Ahhhhhhhh.... you're right!!!!!!!! I changed my 'Internet' defenitin to exclude localhost and it worked! You're beautifull. I need to spend more time understanding how the NAT rules work. I've had a hard time finding documentation that would help me with that. Anyway, Thank you again. Cheers, Gary. ----- Original Message ----- From: "Valerie Anne Bubb" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: March 1, 2002 2:32 PM Subject: Re: Your Message Sent on Fri, 1 Mar 2002 11:44:07 -0800 > > >From: "Gary Ferrer" <[EMAIL PROTECTED]> > > > >I am using NAT on the screen. Here's the rule: > > > >1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet" > > > >These are my addresses: > > > >"gary" HOST 192.168.0.4 COMMENT "Garys PC" > >"Internet" GROUP { "*" } { "iprb1.net" } > >"iprb1.net" RANGE 192.168.0.1 192.168.0.10 > >"publicIP" GROUP { "localhost" } { "sunbox" } > >"sunbox" HOST 192.168.0.5 > > Ok, from this I can see that you are sharing your firewall's > external IP with the entire network. Are you using DHCP? > > >DNS can resolve www.myweb&firewall.com from www.myweb&firewall.com but not > >from internal clients (requests times out but does come up with the correct > >IP). Snoop on the internal NIC of the firewall reports a DNS request from > >the client and responds with the correct IP: > > > >gary -> ns2wh.vc.shawcable.net DNS C www.myweb&firewall.com. Internet Addr ? > >ns2wh.vc.shawcable.net -> gary DNS R www.myweb&firewall.com. > >Internet Addr good.xxx.xxx.xxx > >gary -> hxx-xx-xx-x ICMP Echo request (ID: 256 Sequence number: 1280) > > So, in this snoop, I assume that good.xxx.xxx.xxx is your public IP > > Is good.xxx.xxx.xxx actually the IP configured on your external interface? > Or are you being virtually hosted by your ISP? > > what is "hxx-xx-xx-x"? (are you trying to ping www.myweb&firewall.com ?) > > >>and how your > >> doing a mapping from www.myweb&firewall.com to http://webserver&firewall. > > > >www.myweb&firewall.com and webserver&firewall are the same machine so I > >dont' know how I would map to it's self. I thought the /etc/hosts table was > >enough for that? > > I just wasn't sure if "www.myweb&firewall.com" and "webserver&firewall" > resided on the same interface (via virtual interfaces/NAT) or one was > your external interface, and the other internal? > > Now, my guess as to why this is not working: > > Your NAT rule includes the IPaddr for "www.myweb&firewall.com" in > the Destination (Internet): > > 1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet" > > "Internet" GROUP { "*" } { "iprb1.net" } > "iprb1.net" RANGE 192.168.0.1 192.168.0.10 > > So, the firewall is trying to NAT "gary" to www.myweb&firewall.com & > at the same time trying to connect to www.myweb&firewall.com, and it > gets lost somewhere in the networking stack. > > Try changing your definition of "Internet" to additionally exclude > your firewall: > > "Internet" GROUP { "*" } { "iprb1.net" "localhost" } > > > My rules seem a bit open, I do need to restrict them however I'm not exactly > > bright. > > The easiest, basic, restriction is to just limit the flow of traffic > so it's only open going out, and only allow http to your webserver in. > > So, rules like: > > "common" "iprb1.net" "*" ALLOW > "www" * "publicIP" ALLOW > > hth > > Valerie > -- > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > --__--__-- Message: 5 Date: Sat, 2 Mar 2002 15:29:22 +0100 From: Daniel Hartmeier <[EMAIL PROTECTED]> To: zerokey <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: issues with pf On Fri, Mar 01, 2002 at 01:57:52PM -0500, zerokey wrote: > block in log all > pass out all > > pass in on fxp0 proto icmp from any to any > pass in on fxp0 proto tcp from any to any port = 53 > pass in on fxp0 proto udp from any to any port = 53 > pass in on fxp0 proto tcp from cc.cc.cc.cc to any > pass in on fxp0 proto udp from cc.cc.cc.cc to any > pass in on fxp0 proto tcp from any to aa.aa.aa.aa port = 22 > pass in on fxp0 proto tcp from any to bb.bb.bb.bb port = 22 > pass in on fxp0 proto tcp from any to cc.cc.cc.cc > pass in on fxp0 proto tcp from any to dd.dd.dd.dd > > Mar 01 13:50:22.976540 rule 0/0(match): block in on fxp0: aa.aa.aa.aa.22 > > 64.14.81.125.40123: P 0:52(52) ack 61 win 6432 (DF) [tos 0x10] You're not using 'keep state', and hence the firewall is not creating state for connections. While all outgoing packets are passed, incoming packets related to such connections are generally blocked. Note that when you ssh out to an external host, the ssh client will use a random high port (like 40123), and replies have a _source_ port of 22 and a _destination_ port of 40123. Unless the external host is cc.cc.cc.cc, you're blocking those replies. I suggest you read the section STATEFUL INSPECTION in pf.conf(5) and then add 'keep state' to all 'pass' rules. Daniel --__--__-- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
