Thanks for you attention Paolo.. It's could be a great solution. I think to try it in test environment
-----Messaggio originale----- Da: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Per conto di Paolo Riviello www.paoloriviello.com Inviato: venerdì 19 gennaio 2007 10.42 A: [email protected] Oggetto: Re: [FW-1] R: [FW-1] Routing... So the last thing that i can say is: You have to look to someting of obviously unsupported by checkpoint (I suppose) "source based routing on linux". http://www.linuxhorizon.ro/iproute2.html In brief as I catch on the net: Edit /etc/iproute2/rt_tables file. As you see below we have added ID 23 to alias adsl. #more rt_tables # # reserved values # #255 local #254 main #253 default #0 unspec # # local # #1 inr.ruhep 23 adsl You may use below command for this: #echo 23 adsl >> /etc/iproute2/rt_tables Then we will specify which source ip address will be use this table: #ip rule add from 10.0.0.5/24 table adsl (all lan IPs will use this table) Lets specify this adsl table's default gateway to RouterB #ip route add default via 1.1.1.3 dev eth0 table adsl We have to add following rule in order to give access from 10.0.0.x to the dmz #ip route add 192.168.0.0/24 dev eth2 table adsl To activate changes type following #ip route flush cache After reboot things we made will not be remain. We have to add all the commands to rc.local file to make changes permenant after reboot. ip rule add from 10.0.0.0/24 table adsl ip route add default via 1.1.1.3 dev eth0 table adsl ip route add 192.168.0.0/24 dev eth2 table adsl ip route flush cache So now just try to implement it !!! -- Paolo Riviello Home: http://www.paoloriviello.com E-mail: [EMAIL PROTECTED] E-mail: [EMAIL PROTECTED] Skype: pao_rivi Icq: 285354822 If men could get pregnant, abortion would be a sacrament. (H) >From: Sergio Alvarez <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] R: [FW-1] Routing... >Date: Thu, 18 Jan 2007 12:07:07 -0600 > >Well, then I have to say sorry my friend... I have no further ideas. > >I hope you find a suitable answer. > >Regards > >On 1/18/07, Scarpati Massimiliano <[EMAIL PROTECTED]> >wrote: >> >>Thanks to all for your answers, >>Paolo, it's not a solution for me I can't configure a route in that way on >>my SPLAT and I don't manage the first router. I think that Sergio has >>pointed the problem. Route on my SPLAT are based on destination and I >>don't >>manage to define a destination for my new route that is "Internet World" >>(except for Default gateway), but it means all traffic and I already route >>my Internet traffic to first router of my partner. Sergio, your workaround >>routing all traffic on the router of my partner and reroute the traffic >>coming from my new net to the second router could be a good solution, but >>it >>not suitable for me... cause contract policy between me and this >>partner.......... >> >>-----Messaggio originale----- >>Da: Mailing list for discussion of Firewall-1 [mailto: >>[EMAIL PROTECTED] Per conto di Sergio Alvarez >>Inviato: mercoledì 17 gennaio 2007 19.23 >>A: [email protected] >>Oggetto: Re: [FW-1] Routing... >> >>Regular routes are based on destination, you create a route telling a >>layer >>3 device what would be the destination network and what gateway to use to >>get there. >>So if you want to publish particular services behind the enforcement >>module >>and ensure that traffic received by the second router you mentioned and >>destined to those services, is sent the proper way, then all you need is a >>route on that router pointing to the enforcement module. >>Now, if you want for the enforcement module to receive traffic from the >>new >>network behind it and send it to the second router while all the rest of >>the >>traffic is sent to the first router (default gateway), then you need to >>know >>what would be the destination network, otherwise you need source based >>routing which is not available on Secure Platform (as far as I know). >>A good solution would be to use the first router (default gateway) to >>redirect the traffic the right way if in fact your partner has a source >>based routing capable router there. That way you leave a single default >>gateway on your enforcement module and tell that router to redirect >>traffic >>to the second router when the source is that particular network. You might >>have to do some tweaking on the NAT rules of the firewall for it to >>identify >>the new network with a different IP range so it is possible to identify it >>from the rest of the networks coming through your enforcement module. >> >>Hope this helps. >> >>Regards >> >> >>On 1/17/07, Paolo Riviello www.paoloriviello.com <[EMAIL PROTECTED]> >>wrote: >> > >> > Massimiliano usually you should configure just a default gateway which >> > route >> > your packets to the public internet, therefore you must explain to us >> > where >> > is your partner's router and where is the new one. >> > Anyway I think that you must configure some source traffic rules on >>your >> > default gateway (something like route map on cisco)...so the default >> > gateway >> > for your SPLAT remain the same. >> > >> > >> > >> > -- >> > >> > Paolo Riviello >> > >> > >> > Home: http://www.paoloriviello.com >> > E-mail: [EMAIL PROTECTED] >> > E-mail: [EMAIL PROTECTED] >> > Skype: pao_rivi Icq: 285354822 >> > >> > If men could get pregnant, abortion would be a sacrament. (H) >> > >> > >> > >> > >> > >> > >From: Markus Schmidt <[EMAIL PROTECTED]> >> > >Reply-To: Mailing list for discussion of Firewall-1 >> > ><[email protected]> >> > >To: [email protected] >> > >Subject: Re: [FW-1] Routing... >> > >Date: Wed, 17 Jan 2007 17:18:58 +0100 >> > > >> > >-----BEGIN PGP SIGNED MESSAGE----- >> > >Hash: SHA1 >> > > >> > >Simply add a Route via 'sysconfig' (on the command line) >> > >You're questioned to enter some Information. >> > >* Network is your eth3 network (172.16.0.0) >> > >* Subnet is 255.255.0.0 >> > >* Destination is the Router you want to use, and that's all >> > > >> > >Is this the Information that Helps? Please let me know. >> > > >> > >- -- >> > >http://schmidt.bs-server.com >> > > >> > >Scarpati Massimiliano schrieb: >> > > > Hi guys, i'm a beginner about checkpiont than be patient.... >> > > > >> > > > I have an R55 HFA18 Enforcment Module Secure Platform and a >>management >> > > > R55 HFA18 on Windows. On my Enforcment now I have 3 ethernet: >> > > > >> > > > >> > > > >> > > > Eth0 Private Address......x.x.x.x (172.31.w.w) >> > > > >> > > > Eth1 Private Address.....y.y.y.y (172.31.y.y) >> > > > >> > > > Eth2 Private Address.....z.z.z.z (192.z.z.z) >> > > > >> > > > >> > > > >> > > > Now on my SPLAT I have some route to particular IP address and I >>have >> > a >> > > > default ROUTE that teach my Splat to route all the packets from my >>LAN >> > > > (Eth1) to a public IP Address (a Router of a partner that give me >>the >> > > > connectivity to Internet not managed by me) >> > > > >> > > > >> > > > >> > > > I want implement another network to publish some services, than on >>the >> > > > Enforcment I add a new Ethernet >> > > > >> > > > >> > > > >> > > > Eth3 (172.16.h.h) >> > > > >> > > > >> > > > >> > > > Now my lan Eth1 y.y.y.y go to internet via the Router of my >>partner. >> > > > >> > > > >> > > > >> > > > I have another Router with a public IP address and I want publish >>my >> > new >> > > > machines in the IP class 172.16.h.h via this Router. >> > > > >> > > > >> > > > >> > > > My question is... it's possible configure my Enforcment to Route >>all >> > the >> > > > packet coming from 172.16.h.h, and only these, and that have >> > destination >> > > > public IP Addresses, to this Router? >> > > > >> > > > I Want continue to route the packets coming from my lan Eth1 >> > > > (172.31.y.y) to the Router of my partner and than route all coming >> > from >> > > > my new Eth3 (172.16.h.h) to the new Public IP. >> > > > >> > > > >> > > > >> > > > If it is possible and someone has similar config suggest me the way >>to >> > > > do this. >> > > > >> > > > >> > > > >> > > > Thanks. >> > > > >> > > > >> > > > >> > > > Mazzz >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > ================================================= >> > > > To set vacation, Out-Of-Office, or away messages, >> > > > send an email to [EMAIL PROTECTED] >> > > > in the BODY of the email add: >> > > > set fw-1-mailinglist nomail >> > > > ================================================= >> > > > To unsubscribe from this mailing list, >> > > > please see the instructions at >> > > > http://www.checkpoint.com/services/mailing.html >> > > > ================================================= >> > > > If you have any questions on how to change your >> > > > subscription options, email >> > > > [EMAIL PROTECTED] >> > > > ================================================= >> > > >> > >-----BEGIN PGP SIGNATURE----- >> > >Version: GnuPG v1.2.5 (MingW32) >> > >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> > > >> > >iD8DBQFFrkxyPVyB00VJC9cRAh6nAJ9vh2YRT3xVTZ9wG/kEo9GBqXoD4ACdFZS3 >> > >ZmT+alBL1LGuJoItfZAhrSw= >> > >=ZSog >> > >-----END PGP SIGNATURE----- >> > > >> > >================================================= >> > >To set vacation, Out-Of-Office, or away messages, >> > >send an email to [EMAIL PROTECTED] >> > >in the BODY of the email add: >> > >set fw-1-mailinglist nomail >> > >================================================= >> > >To unsubscribe from this mailing list, >> > >please see the instructions at >> > >http://www.checkpoint.com/services/mailing.html >> > >================================================= >> > >If you have any questions on how to change your >> > >subscription options, email >> > >[EMAIL PROTECTED] >> > >================================================= >> > >> > _________________________________________________________________ >> > Aggiungi i tuoi nuovi contatti di Hotmail anche in Messenger.Con un >>click! >> > http://join.msn.com/hotmail/features-std#6 >> > >> > ================================================= >> > To set vacation, Out-Of-Office, or away messages, >> > send an email to [EMAIL PROTECTED] >> > in the BODY of the email add: >> > set fw-1-mailinglist nomail >> > ================================================= >> > To unsubscribe from this mailing list, >> > please see the instructions at >> > http://www.checkpoint.com/services/mailing.html >> > ================================================= >> > If you have any questions on how to change your >> > subscription options, email >> > [EMAIL PROTECTED] >> > ================================================= >> > >> >> >> >>-- >>Sergio Alvarez >>(506)8301342 >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= >> > > > >-- >Sergio Alvarez >(506)8301342 > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ Scopri i volti dei nostri blogger ! http://spaces.live.com/default.aspx?page=Interests&ss=False ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= -------------------------------------------------------------- This e-mail and any attachment thereto contains confidental and/or privileged information. If you are not the intended recipient or have received this e-mail in error, please notify the sender immediately and delete this e-mail and any attachment thereto from your system. Any unauthorized retention, copying, transmission, distribution, disclosure or use of the content of this e-mail and/or any attachment thereto is prohibited. Techem is not liable for any omission or error in this e-mail and/or any attachment thereto which may arise as a result of the e-mail-transmission or for damages resulting from any unauthorized change of the content of this e-mail and/or any attachment thereto. Thank You Techem Energy Services GmbH ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
