You should use RFC1918 addresses for your DMZ/Bastion hosts. (10.0.0.0, 192.168.0.0,
etc etc)
Set your router to block RFC1918 with an access list. (they shouldn't be coming in/out
anyway, but
just in case...)
Setup FW-1 to arp for the "outside/routeable" address of each DMZ/bastion host and use
NAT
to get the packets to the right host. (this involves local.arp entry, static host
route on FW-1, and the
appropriate rules/nat rules)
This way if you stop the fw services, no NAT can occur even if routing can.
(NAT is performed by the FW-1 process)
If someone is hitting 200.200.200.200 and FW-1 crashes, it's no longer going to be
natted to
10.10.10.10, and that means the host will toss it. They can't reach 10.10.10.10
because RFC1918
is blocked at router.
(make sure the ONLY default route you have is to the INTERNET, btw).
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 18, 2001 3:46 PM
Subject: [FW1] Possible NT IpForwarding Security Issue.
>
>
>
> Hi,
>
> One question has been occupied us for the past day:
>
> If the Firewall service goes down or is stop by mistake, Windows NT is Still
> Alive
> and IPforwarding is enable, would the nt server route packet to the protected
> server in the internal network or in the DMZ ?
>
> Sylvain
>
>
>
>
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
