Tim,
Looking at the relevant section of crypt.def, on Solaris, I see
define USERC_DECRYPT_SRC {
(
#ifndef ENCDNS
not(dport = SERV_domain, (udp or tcp)),
#endif
I have added a line above this, saying
#define ENCDNS
which functions in exactly the same way as in 4.0
I assume that the authors of the VPN document for Checkpoint 2000 didn't
properly check the system when writing page 155.
Tim
--
Timothy Frost mailto:[EMAIL PROTECTED]
EDS New Zealand Fax: +64-4-495-0473
8 Gilmer Terrace Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand
> -----Original Message-----
> From: Chilton Tim [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, July 28, 2000 12:23 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] SecureRemote - DNS not encrypting
>
>
> Hi,
>
> I've been looking a problem with SecureRemote where DNS is not encrypting
> (which puzzles me since I can think of no reason any sysadmin would want
> their entire internal DNS internet visible !)
>
> Tech stuff
>
> FW - NT4, SP6a, CP2000 4.1 SP1 +hotfix (build 41603)
> Client NT4, SP6a, SR build 4157
> Encryption rule is using FWZ encryption.
>
> Client encryption rule
> SRUsers Any Any Client Encrypt
>
> I can dial-up, authenticate and do everything except DNS queries (which
> show
> as unencrypted in a packet trace on the workstation)
>
> The CP2000 VPN book includes a section on encrypting DNS and I've done the
> dnsinfo.c, userc.c updates etc, however the crypt.def update does not in
> any
> way match the code that is already there. - there is an "#ifdef
> SECUREREMOTE" code block that appears in the existing curly brace section.
>
> Question : Is the CP2000 book wrong or does the existing code get removed,
> added before, after, etc (Seeing a couple of surrounding lines in the
> printed code extract would be handy !
>
> Question - Checkpoint -- WHY would I not want to encrypt internal DNS
> queries like the rest of my traffic ?-- after all my rules base that I
> want
> to download says "Remote -> Any for Any" -- not "Remote -> Any for
> anything
> but DNS"
>
> Anyone seen this or better still know of a fix ?
>
> Cheers
>
> Tim
> ************************************************************************
> The information in this email is confidential and is intended solely
> for the addressee(s).
> Access to this email by anyone else is unauthorised. If you are not
> an intended recipient, you must not read, use or disseminate the
> information contained in the email.
> Any views expressed in this message are those of the individual sender,
> except where the sender specifically states them to be the views of
> The Capital Markets Company.
>
> http://www.capco.com
> ***********************************************************************
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
