Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont

Subject:	Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment"
From:	Ray <sixsigma44 AT HOTMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 22 Apr 2005 20:40:17 -0400

"I know that most people use "fw unloadlocal" for troubleshooting purpose
and they want to see if the firewall passing traffics without any security
policies.  Now if routing is disabled
by "fw unloadlocal" then no traffics can route across the firewall. How
stupid can that be?"

Turning off the firewall to see if it will pass traffic is about as stupid
as you can get for an Internet-connected firewall. The only times I have
needed "fw unloadlocal" is when a policy screw-up prevented me from
accessing the firewall for management. I would never want routing enabled if
there wasn't a policy loaded.

As far as changing the default value, no doubt it's been a default too long
and it may break stuffthat depends on it. It's like Microsoft's "dead
gateway detection" on by default since NT. MS has a KB where they recommend
you disable it to harden the box. That one should be changed as well, but
who knows what that will break?

Your mileage may vary, :-)

Ray

From: cisco4ng <cisco4ng AT YAHOO DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Questions regarding "fw unloadlocal" and
"ipsec_dont_fragment"
Date: Fri, 22 Apr 2005 10:49:30 -0700

All,
I have a checkpoint site-to-site VPN that will transfer about 40GB of data
between them.  When I read Checkpoint release note, checkpoint recommends
that I use dbedit to modify the parameter "ipsec_dont_fragment" from "true"
to "false" so that large file transfer across the VPN tunnel will not
drop unexpectedly.  Here is my question:

1) If that is true, why doesn't checkpoint make the ipsec_dont_fragment
parameter "false" by default?

2) What is the downside or side-effect for making ipsec_dont_fragment from
"true" to "false"?

I could never get a straight answer on this one from Checkpoint TAC.
They must be smoking crack or something.

next question:
when I perform "fw unloadlocal" on SPLAT or Nokia, ip forwarding is
disabled as well.  It means that in nokia and SPLAT routing is stopped
at that point.  To enable routing on SPLAT I have to perform
"echo 1 > /proc/sys/net/ipv4/ip_forward" or "ipsofwd on admin".  Here
is my question:

1) Why in the world checkpoints want to do that?  I understand that
they don't want the firewall to be vulnerable during the boot process
(even though the booting process only takes a few minutes)
but turning off routing when performing "fw unloadlocal" just doesn't
make sense.  I know that most people use "fw unloadlocal" for
troubleshooting purpose and they want to see if the firewall passing
traffics without any security policies.  Now if routing is disabled
by "fw unloadlocal" then no traffics can route across the firewall.
How stupid can that be?

2) Is it possible to keep routing enable on SPLAT or Nokia boxes after
"fw unloadlocal" without using "echo 1 > /proc/sys/net/ipv4/ip_forward"
or "ipsofws on admin"?

Thanks.
cisco4ng

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", cisco4ng Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", Crist Clark Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", Ray <= [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", cisco4ng

Previous by Date:	Re: [FW-1] Nokia and Checkpoint TAC supports are the worst in the business?, Ray
Next by Date:	Re: [FW-1] Nokia and Checkpoint TAC supports are the worst in the business?, Timothy Arnold
Previous by Thread:	Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", Crist Clark
Next by Thread:	[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", cisco4ng
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment