But you can assign static address/routes for the VPN endpoints, yes?
Shimon Silberschlag
+972-3-9352785
+972-51-207130
- Original Message -
From: Don [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 03, 2002 17:31
Subject: Re: [FW-1] How to connecto to 2 ISP's?
Or you can
On Mon, Jun 03, 2002 at 09:24:37AM -0700, Ramesh Ragineni wrote:
I totally agree with this solution: Instead of going to two different ISP, I
would say going through a Larger ISP with two different POP locations, will
give pretty much good redundancy and BGP will be much much cheaper for you
Hmm, but that probably also means a higher load on the Internet connections
and the possibility of timeouts if our DNS doesn't reply fast enough :-(
Nico
On Tue, Jun 04, 2002 at 09:52:52AM +0200, Samuel Wuethrich wrote:
As far as I know, Linkproof use very little DNS TTL so in case of a link
Linkproof sets the TTL for the DNS reply to 0 (zero).
Shimon Silberschlag
+972-3-9352785
+972-51-207130
- Original Message -
From: Nico De Ranter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 04, 2002 09:02
Subject: Re: [FW-1] How to connecto to 2 ISP's?
Wow,
never
Guys,
I have a weird problem in my firewall.
Here is the config that I have
IP440
IPSO 3.5
Checkpoint 4.1 SP2
I have done the following:
Install SVN Foundation NG FP1
Upgraded the firewall module from 4.1 SP2 to NG FP1
Upgrade Policy Editor from 4.1 to NG FP1
After
At 20:43 03.06.2002 +0200, you wrote:
Hello,
My ISP changed the ip-address of the forwarding mailserver to sent outbound
smtp-mail to. Now I'm stuck with some emails who needs to be re-routed to
another mail-relay on the internet.
How can I resent them to that other server?
change the
At 10:55 04.06.2002 +0200, you wrote:
Here is the config that I have
IP440
IPSO 3.5
Checkpoint 4.1 SP2
I have done the following:
Install SVN Foundation NG FP1
Upgraded the firewall module from 4.1 SP2 to NG FP1
Upgrade Policy Editor from 4.1 to NG FP1
After doing all this, the firewall
Then Checkpoint would have to implement a dns server into firewall-1. Well, Meta IP is
a Checkpoint DNS server, but I really doubt that they will implement such features
anytime soon.
Lars
-Original Message-
From: Andreas Ballack [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04,
Using two connections to the same ISP will give good redundancy in case one
of the connections goes down however it won't help if your ISP goes bankrupt.
And that's currently my major concern :-(
Pick an ISP that is big enough such that if they go bankrupt, the whole
Internet is in trouble
But you can assign static address/routes for the VPN endpoints, yes?
I have no idea what this means.
When you define your encryption domain under checkpoint, you also define
the firewall it sits behind. That firewall has an IP address. If that IP
address changes for some reason, then your VPN
Hmm, but that probably also means a higher load on the Internet connections
and the possibility of timeouts if our DNS doesn't reply fast enough :-(
The timeout of zero simply means do not cache the entry. It does not
affect the core operation of DNS however.
You are correct in that there will
Hi all,
I have just instaled NG FP2 on Win2k server.
I got problem. When I instaled CP FW-1 FP2 - Terminal services was disabled.
When I set u TS as automatic and I reboot server - Cp Firewall-1 service was disabled.
When I enable one of this services other one is disabled ( windows disabled
If I have multiple mail servers on the internal network, can
they all share the same NATd external address?
This is NT4, 4.1 SP5.
Hide
nat yes - static nat no
-Original Message-From: Mailing list for discussion
of Firewall-1 [mailto:[EMAIL PROTECTED]]On
Behalf Of Christopher CollinsSent: Tuesday, June 04, 2002 4:39
PMTo:
[EMAIL PROTECTED]Subject: [FW-1] Static
NAT Question
If I
have
No, you could however
have them appear to be from a single IP address if you set up load balancing
instead.
- Gerrit Padgham
-Original
Message-
From: Mailing list for discussion
of Firewall-1 [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher Collins
Sent: Tuesday, June
Don,
your answer is technically correct, but likely to confuse the
poster
more. If he is running mail servers, hide nat
would be worthless, since the
obvious need for connecting to the mail servers from
the outside. Static
nat
would obviously be required, but if you think about the IP
Title: Filtering incoming SMTP from your domain via SS
Here's the scenario: We block all incoming mail not destined for our mail domains (to block relay) but we are also considering not allowing people to deliver mail to us that appear to come from our domain. Confusing?
Simply put, should
To summarize, you're planning to connect pipes from 2 ISPs into your
firewall, with the 3rd NIC going to the LAN. Yes, it's physically possible,
but it may not give you the 'redundancy' many think they have when they
implement this kind of setup.
If your purpose is to allow a backup route to
BGP is really the only general purpose solution.Products like radware
may address the problem for an inbound web site, but if you
want highavailability for any service, you really need to route, and
preferably do it with at least 2 different ISPs.Picking a big one, which
won't go out of
If I have multiple mail servers on the internal network, can they all share
the same NAT'd external address?
This is NT4, 4.1 SP5.
You could perform port address trnaslation, but since they are all mail
servers, you would most likely want every server to be uniquely accessible
on port 25. You
Title: Message
I'm a
little confused. If someone is sending legitimate email to [EMAIL PROTECTED], you're accepting
it. If the 'from' email address is forged to be [EMAIL PROTECTED], but the to
address is still [EMAIL PROTECTED],
there is a legitimate recipient for the message on your
network.
I thought I'd bump this one more time with hopes that anyone has encountered
a cpd process that cpstart fails to start up, but can be started manually as
root.
Thanks.
Andy
-Original Message-
From: Kalat, Andrew (ISS Atlanta)
Sent: Friday, May 31, 2002 4:40 PM
To: [EMAIL PROTECTED]
Hi people.
We're running an ip440 with 4.1 SP3 and am trying to get an affiliate company to VPN
into our network.
He's using Securemote (Build 4199) on Win2k Server, and is sitting behind a Nokia
IP330.
I can see him authenticate when he updates his policy, but he cannot ping, ftp (or
Title: Filtering incoming SMTP "from" your domain via SS
We have remote users (usually from their
home computers) who like to be able to reply to messages, or send new messages,
and have everything look as if the email came from the company mail
server. Additionally, all of our outgoing email
OK. I need multiple addresses. Is there any limit to how
many entries there can be in the Local.arp file? With these additional
addresses, I will be up to almost 30 using a single external NIC.
Thanks for all your responses.
Title: Filtering incoming SMTP "from" your domain via SS
Sure. Just specify a resource with *@foxboro.com as the source, * as the
destination, and make the action "drop" in the rulebase.
HTH
Dan Hitchcock CCNP, CCSE, MCSE Security Operations
Technical Lead Breakwater Security Associates,
Could the answer be to use static nat to one smtp host such as mailsweeper
and then use individual private addressing on the internal mail servers? The
mailsweeper (or something similar) could forward mail to the correct
internal domains?
Just an idea
jp
-Original Message-
Hi,
I had something like that happen. I couldn't ping, trace or do anything. It
turned out that the machine, which was in my DMZ, had a FW policy that
restricted communication to the internal network. You might want to check
this out with your FW guy again just to be sure.
John Chalifoux
This is no longer an option in NG right?
-Original Message-
Subject: Re: [fw1-wizards] Need to ignore an interface...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jon Chelton wrote:
Is there a way to make Checkpoint completely ignore qe1 and qe2?
Set qe1 and qe2 to No
Anyone have any ideas how to configure this for a DUN connection. We
can successfully ping and tracert, but can't ftp or terminal server.
Thanks
--
Eric D. Leuthardt
MOUS, A+, i-Net+, Network+, CIW, MCSA, CCA
Network Administrator
Reliable Reports, Inc.
1165 S Stemmons Suite 233
Lewisville, TX
Hi,
I'm setting up a stand alone NG FP2 box on linux, that
will be used to give users access to a webserver using
Client Auth with SSL on port 443. I'm using ssl with
a verisign test certificate, and it seems to work
fine.
There's only one strangeness. When you first go the
site using the DNS
Title: Message
You were correct in saying we want to prevent spammers from dumping
things into our net and have them appear to be from our net. In one
example:
Let's say someone sitting on their home dialup does this to our Internet
SMTP server:MAIL FROM: [EMAIL PROTECTED]
RCPT TO: [EMAIL
He has set these rules up at the top of his policy on his ip330. The int_Win2kServ_PC
is an internal workstation object (it has an external ip using hiding NAT), while the
ext_CST_FW is a workstation object with our external ip address:
RuleSource Destination Service
Don and Russell,
Many thanks. It is now clear what the planners at in mind and you both
have armed me well.
Already I spoke with one ISP this morning about my situation (a network
engineer will be getting back to me). Tomorrow, I have another meeting
with a different provider. With the
34 matches
Mail list logo
