Becki-
Coming from a tech support background I try to phrase things as simply as
possible because I don't know the IP routing background of who I am
speaking with. If you can route in your sleep and/or can translate dotted
quad ip addresses to hex or binary in your head I appologize....
DNS is used to map www.checkpoint.com to 216.200.241.66 or vice versa for
logging purposes. ARP is used when the destination is thought to be on the
same network segment. It is used when the host or router sending the ARP
requests does not have a MAC address for the destination host in its ARP
cache table.
What it looks like you are seeing is the ping (echo request) from bob to
10.1.1.2 then and ARP request(broadcast) from 10.1.1.2
The snoop packet dump is different than the format I am used to
(tcpdump). Here is my guess at interpreting it, it looks like 10.1.1.2 is
ARPing for both 10.2.1.1 and bob.ford.com.
In tcpdump it would look more like:
10.1.1.2 ARP who has 10.2.1.1 tell 10.1.1.2 (not the exact syntax I'm
going from memory)
It appears the ping is getting to 10.1.1.2 with a source address of
10.2.1.1 and 10.1.1.2 does not know how to reach 10.2.1.1 so it is ARPing
for it which it shouldn't be doing unless:
a. 10.1.1.2 doesn't have a default gateway defined so it will ARP
for everything.
b. 10.1.1.2 does have a default gateway but is configured with an
8 bit mask (255.0.0.0) so it thinks that 10.2.1.1 is in the same network
c. 10.1.1.2 has its default gateway set for 10.1.1.1, is ARPing
for 10.1.1.1 as a route to get to 10.2.1.1 and the device running snoop is
using either its
hosts file or DNS lookup to change the output of the ARP
request from 10.1.1.1 to bob.ford.com
d. I am completely wrong and am misinterpreting the snoop output
(been known to happen)
In the second snoop it appears the source address is 10.1.1.1 so 10.1.1.2
has no problem replying to is because it has an ARP cache entry for 10.1.1.1
The only part that DNS plays in this is possibly translating 10.1.1.1 to
bob.ford.com in the snoop output (not what is actually traveling on the wire)
Hope this helps :-)
-PaulK
/2000, Kain, Becki (B.) wrote:
>2. Is dns accessed at all, when fwd is running, to determine an object's ip
>address or does it just use the ip address that is defined for the object?
>
>I am not completely sure on this issue, but I would assume that once the
>firewall has the IP address for a object defined it wouldn't need to query
>DNS.
>When setting up the object it might, if you click the get IP address box.
>
>Seems like you are a little unfamiliar with the concepts of Firewall-1
>I would recommend the following sites for more information:
>___________________________________________________________________
>
>thanks, but this is a question my reseller also couldn't answer. why would
>a machine not be able to ping another, depending on if it was managing
>itself. bob has 2 interfaces, 10.1.1.1 and 10.2.1.1:
>
>this is a snoop from the machine bob (10.1.1.1) to
>10.1.1.2, while a ping from bob to the .2 machine is going on and it is
>managing itself:
>
>
>bob.ford.com -> 10.1.1.2 ICMP Echo request
>10.1.1.2 -> (broadcast) ARP C Who is 10.2.1.1, bob.ford.com ?
>10.1.1.2 -> (broadcast) ARP C Who is 10.2.1.1, bob.ford.com ?
>bob.ford.com -> 10.1.1.2 ICMP Echo request
>10.1.1.2 -> (broadcast) ARP C Who is 10.2.1.1, bob.ford.com ?
>
>this is the same snoop/ping with a different management server:
>
>bob# /usr/sbin/snoop 10.1.1.2
>Using device /dev/hme (promiscuous mode)
> bob -> 10.1.1.2 ICMP Echo request
>10.1.1.2 -> bob ICMP Echo reply
>
>so all I could figure was that dns was getting in the way. Any other ideas?
>
>thanks
>
>becki kain
>
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
*********************************************
Paul Keser
Network Security Engineer
[EMAIL PROTECTED]
tel: 415.351.4037
fax: 415.474.6017
ShopExpert.com
1375 Sutter Street, Suite 400
San Francisco, CA 94109
*********************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
