I can't remember/currently find examples, but if I'm not
mistaken, the 'leaks' occur when the system is under
load. FW1 will let the packet pass without translation.
But until I find proof or someone can verify, you should
make sure to do the following. Block the RFC1918
addresses at your external router. In fact you should
do egress filtering anyways.
see http://www.sans.org/infosecFAQ/egress.htm for more
reading.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Eric Trolan <[EMAIL PROTECTED]> 7/25/00 10:02:47 AM >>>
>Hi Marc,
>I too am unable to resolve it. :(
>I saw these articles but neither of them apply to my situation and yet it
>happens.
>
>
>
>Regards
>Eric Trolan
>
> -----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, July 25, 2000 3:52 AM
>To: Eric Trolan
>Cc: [EMAIL PROTECTED]
>Subject: Re: [FW1] Hide NAT and original addresses leaking through?
>
>Eric,
>
>I found 2 articles on the CP SecureKnowledge pages but was unable to resolve
>this for myself :-(
>
>One is specific to Solaris re:
>The default timeout for TCP Check-Alive being higher than the FW1 TCP
>timeout.
>
>The other solution is as follows:
>
>Solution: NAT works intermittently. Periodical Snoops show that invalid
>addresses sometimes reach the Internet (36.0.476006.2482649)
>Do not install a Layer 3 switch between the internal network and the
>internal interface of FireWall-1.
>
>Problem Description
>NAT works intermittently. Periodical Snoops show that invalid addresses
>sometimes reach the Internet
>
> See the problem environment.
>
>Cause of this problem:
>In this configuration the Layer 3 compatible switch will direct traffic to
>either the internal interface of FireWall-1 OR directly to the external
>router. This explains the intermittent NAT operation
>
> Changes affecting this problem:
>A Layer 3 switch installed between the internal interface of FireWall-1 and
>the internal network. The switch also has a direct route to an external
>router.
>
>HTH
>
>Marc
>
> To: "'[EMAIL PROTECTED]'"
><[EMAIL PROTECTED]>
> cc:
> Subject: [FW1] Hide NAT and original addresses leaking
>through?
>
>
>Hi All,
>I recently put some access lists on our Internet router to drop RFC 1918
>addresses. Internally we use 172.19.x.x. I was surprised to see packets
>getting dropped from our internal network on the router since everyone going
>through the firewall should be NATed to the legal address 63.169.12.6. I
>experienced this on FW 4.0 and now on FW 4.1, both for NT.
>
>Anyone have any idea why some of my internal network addresses are not being
>completely NATed when going to the outside world? Anyone know of other
>information that may be leaking through the firewall.
>
>
>Any help or ideas are appreciated.
>
>
>Regards
>Eric
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
