Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] R: [FW-1] R: [FW-1] Routing...

from Scarpati Massimiliano [Permanent Link]
Subject: [FW-1] R: [FW-1] R: [FW-1] Routing...
From: Scarpati Massimiliano <massimiliano.scarpati AT POSTEVITA DOT IT>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 22 Jan 2007 13:42:21 +0100 
Thanks for you attention Paolo..
It's could be a great solution. I think to try it in test environment

-----Messaggio originale-----
Da: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] Per conto di Paolo Riviello www.paoloriviello.com
Inviato: venerdì 19 gennaio 2007 10.42
A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Oggetto: Re: [FW-1] R: [FW-1] Routing...

So the last thing that i can say is:

You have to look to someting of obviously unsupported  by checkpoint (I 
suppose) "source based routing on linux".

http://www.linuxhorizon.ro/iproute2.html

In brief as I catch on the net:

Edit /etc/iproute2/rt_tables file. As you see below we have added ID 23 to 
alias adsl.

#more rt_tables
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
23 adsl


You may use below command for this:
#echo 23 adsl >> /etc/iproute2/rt_tables

Then we will specify which source ip address will be use this table:
#ip rule add from 10.0.0.5/24 table adsl (all lan IPs will use this table)

Lets specify this adsl table's default gateway to RouterB
#ip route add default via 1.1.1.3 dev eth0 table adsl

We have to add following rule in order to give access from 10.0.0.x to the 
dmz
#ip route add 192.168.0.0/24 dev eth2 table adsl

To activate changes type following
#ip route flush cache

After reboot things we made will not be remain. We have to add all the 
commands to rc.local file to make changes permenant after reboot.


ip rule add from 10.0.0.0/24 table adsl
ip route add default via 1.1.1.3 dev eth0 table adsl
ip route add 192.168.0.0/24 dev eth2 table adsl
ip route flush cache



So now just try to implement it !!!



--

Paolo Riviello


Home: http://www.paoloriviello.com
E-mail: paolo AT paoloriviello DOT com
E-mail: pao_rivi AT hotmail DOT com
Skype: pao_rivi Icq: 285354822

If men could get pregnant, abortion would be a sacrament. (H)





>From: Sergio Alvarez <seralvar AT GMAIL DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1              
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] R: [FW-1] Routing...
>Date: Thu, 18 Jan 2007 12:07:07 -0600
>
>Well, then I have to say sorry my friend... I have no further ideas.
>
>I hope you find a suitable answer.
>
>Regards
>
>On 1/18/07, Scarpati Massimiliano <massimiliano.scarpati AT postevita DOT it>
>wrote:
>>
>>Thanks to all for your answers,
>>Paolo, it's not a solution for me I can't configure a route in that way on
>>my SPLAT and I don't manage the first router. I think that Sergio has
>>pointed the problem. Route on my SPLAT are based on destination and I 
>>don't
>>manage to define a destination for my new route that is "Internet World"
>>(except for Default gateway), but it means all traffic and I already route
>>my Internet traffic to first router of my partner. Sergio, your workaround
>>routing all traffic on the router of my partner and reroute the traffic
>>coming from my new net to the second router could be a good solution, but 
>>it
>>not suitable for me... cause contract policy between me and this
>>partner..........
>>
>>-----Messaggio originale-----
>>Da: Mailing list for discussion of Firewall-1 [mailto:
>>FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Per conto di Sergio Alvarez
>>Inviato: mercoledì 17 gennaio 2007 19.23
>>A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>>Oggetto: Re: [FW-1] Routing...
>>
>>Regular routes are based on destination, you create a route telling a
>>layer
>>3 device what would be the destination network and what gateway to use to
>>get there.
>>So if you want to publish particular services behind the enforcement
>>module
>>and ensure that traffic received by the second router you mentioned and
>>destined to those services, is sent the proper way, then all you need is a
>>route on that router pointing to the enforcement module.
>>Now, if you want for the enforcement module to receive traffic from the
>>new
>>network behind it and send it to the second router while all the rest of
>>the
>>traffic is sent to the first router (default gateway), then you need to
>>know
>>what would be the destination network, otherwise you need source based
>>routing which is not available on Secure Platform (as far as I know).
>>A good solution would be to use the first router (default gateway) to
>>redirect the traffic the right way if in fact your partner has a source
>>based routing capable router there. That way you leave a single default
>>gateway on your enforcement module and tell that router to redirect
>>traffic
>>to the second router when the source is that particular network. You might
>>have to do some tweaking on the NAT rules of the firewall for it to
>>identify
>>the new network with a different IP range so it is possible to identify it
>>from the rest of the networks coming through your enforcement module.
>>
>>Hope this helps.
>>
>>Regards
>>
>>
>>On 1/17/07, Paolo Riviello www.paoloriviello.com <pao_rivi AT hotmail DOT com>
>>wrote:
>> >
>> > Massimiliano usually you should configure just a default gateway which
>> > route
>> > your packets to the public internet, therefore you must explain to us
>> > where
>> > is your partner's router and where is the new one.
>> > Anyway I think that you must configure some source traffic rules on 
>>your
>> > default gateway (something like route map on cisco)...so the default
>> > gateway
>> > for your SPLAT remain the same.
>> >
>> >
>> >
>> > --
>> >
>> > Paolo Riviello
>> >
>> >
>> > Home: http://www.paoloriviello.com
>> > E-mail: paolo AT paoloriviello DOT com
>> > E-mail: pao_rivi AT hotmail DOT com
>> > Skype: pao_rivi Icq: 285354822
>> >
>> > If men could get pregnant, abortion would be a sacrament. (H)
>> >
>> >
>> >
>> >
>> >
>> > >From: Markus Schmidt <Markus.Schmidt AT INTERFACE-SYSTEMS DOT DE>
>> > >Reply-To: Mailing list for discussion of Firewall-1
>> > ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>> > >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>> > >Subject: Re: [FW-1] Routing...
>> > >Date: Wed, 17 Jan 2007 17:18:58 +0100
>> > >
>> > >-----BEGIN PGP SIGNED MESSAGE-----
>> > >Hash: SHA1
>> > >
>> > >Simply add a Route via 'sysconfig' (on the command line)
>> > >You're questioned to enter some Information.
>> > >* Network is your eth3 network (172.16.0.0)
>> > >* Subnet is 255.255.0.0
>> > >* Destination is the Router you want to use, and that's all
>> > >
>> > >Is this the Information that Helps? Please let me know.
>> > >
>> > >- --
>> > >http://schmidt.bs-server.com
>> > >
>> > >Scarpati Massimiliano schrieb:
>> > > > Hi guys, i'm a beginner about checkpiont than be patient....
>> > > >
>> > > > I have an R55 HFA18 Enforcment Module Secure Platform and a
>>management
>> > > > R55 HFA18 on Windows. On my Enforcment now I have 3 ethernet:
>> > > >
>> > > >
>> > > >
>> > > > Eth0 Private Address......x.x.x.x (172.31.w.w)
>> > > >
>> > > > Eth1 Private Address.....y.y.y.y (172.31.y.y)
>> > > >
>> > > > Eth2 Private Address.....z.z.z.z (192.z.z.z)
>> > > >
>> > > >
>> > > >
>> > > > Now on my SPLAT I have some route to particular IP address and I
>>have
>> > a
>> > > > default ROUTE that teach my Splat to route all the packets from my
>>LAN
>> > > > (Eth1) to a public IP Address (a Router of a partner that give me
>>the
>> > > > connectivity to Internet not managed by me)
>> > > >
>> > > >
>> > > >
>> > > > I want implement another network to publish some services, than on
>>the
>> > > > Enforcment I add a new Ethernet
>> > > >
>> > > >
>> > > >
>> > > > Eth3 (172.16.h.h)
>> > > >
>> > > >
>> > > >
>> > > > Now my lan Eth1 y.y.y.y go to internet via the Router of my 
>>partner.
>> > > >
>> > > >
>> > > >
>> > > > I have another Router with a public IP address and I want publish 
>>my
>> > new
>> > > > machines in the IP class 172.16.h.h via this Router.
>> > > >
>> > > >
>> > > >
>> > > > My question is... it's possible configure my Enforcment to Route 
>>all
>> > the
>> > > > packet coming from 172.16.h.h, and only these, and that have
>> > destination
>> > > > public IP Addresses, to this Router?
>> > > >
>> > > > I Want continue to route the packets coming from my lan Eth1
>> > > > (172.31.y.y) to the Router of my partner and than route all coming
>> > from
>> > > > my new Eth3 (172.16.h.h) to the new Public IP.
>> > > >
>> > > >
>> > > >
>> > > > If it is possible and someone has similar config suggest me the way
>>to
>> > > > do this.
>> > > >
>> > > >
>> > > >
>> > > > Thanks.
>> > > >
>> > > >
>> > > >
>> > > > Mazzz
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > =================================================
>> > > > To set vacation, Out-Of-Office, or away messages,
>> > > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>> > > > in the BODY of the email add:
>> > > > set fw-1-mailinglist nomail
>> > > > =================================================
>> > > > To unsubscribe from this mailing list,
>> > > > please see the instructions at
>> > > > http://www.checkpoint.com/services/mailing.html
>> > > > =================================================
>> > > > If you have any questions on how to change your
>> > > > subscription options, email
>> > > > fw-1-owner AT ts.checkpoint DOT com
>> > > > =================================================
>> > >
>> > >-----BEGIN PGP SIGNATURE-----
>> > >Version: GnuPG v1.2.5 (MingW32)
>> > >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> > >
>> > >iD8DBQFFrkxyPVyB00VJC9cRAh6nAJ9vh2YRT3xVTZ9wG/kEo9GBqXoD4ACdFZS3
>> > >ZmT+alBL1LGuJoItfZAhrSw=
>> > >=ZSog
>> > >-----END PGP SIGNATURE-----
>> > >
>> > >=================================================
>> > >To set vacation, Out-Of-Office, or away messages,
>> > >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>> > >in the BODY of the email add:
>> > >set fw-1-mailinglist nomail
>> > >=================================================
>> > >To unsubscribe from this mailing list,
>> > >please see the instructions at
>> > >http://www.checkpoint.com/services/mailing.html
>> > >=================================================
>> > >If you have any questions on how to change your
>> > >subscription options, email
>> > >fw-1-owner AT ts.checkpoint DOT com
>> > >=================================================
>> >
>> > _________________________________________________________________
>> > Aggiungi i tuoi nuovi contatti di Hotmail anche in Messenger.Con un
>>click!
>> > http://join.msn.com/hotmail/features-std#6
>> >
>> > =================================================
>> > To set vacation, Out-Of-Office, or away messages,
>> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>> > in the BODY of the email add:
>> > set fw-1-mailinglist nomail
>> > =================================================
>> > To unsubscribe from this mailing list,
>> > please see the instructions at
>> > http://www.checkpoint.com/services/mailing.html
>> > =================================================
>> > If you have any questions on how to change your
>> > subscription options, email
>> > fw-1-owner AT ts.checkpoint DOT com
>> > =================================================
>> >
>>
>>
>>
>>--
>>Sergio Alvarez
>>(506)8301342
>>
>>=================================================
>>To set vacation, Out-Of-Office, or away messages,
>>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>fw-1-owner AT ts.checkpoint DOT com
>>=================================================
>>
>>=================================================
>>To set vacation, Out-Of-Office, or away messages,
>>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>fw-1-owner AT ts.checkpoint DOT com
>>=================================================
>>
>
>
>
>--
>Sergio Alvarez
>(506)8301342
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================

_________________________________________________________________
Scopri i volti dei nostri blogger !              
http://spaces.live.com/default.aspx?page=Interests&ss=False

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [FW-1] R: [FW-1] R: [FW-1] Routing..., Scarpati Massimiliano <=
Previous by Date:  [FW-1] Setting up standby SmartCenter Server & Enforcement Module, P.V.Sankar
Next by Date:  Re: [FW-1] R: [FW-1] Routing..., Hugo van der Kooij
Previous by Thread:  [FW-1] Setting up standby SmartCenter Server & Enforcement Module, P.V.Sankar
Next by Thread:  [FW-1] Connectra ICS scan bypass vulnerability posted on the Full Disclosure list, Ray
Indexes:  [Date] [Thread] [Top] [All Lists]