Re: [FW-1] randomize tcp sequence number when traversing between interfa

Subject:	Re: [FW-1] randomize tcp sequence number when traversing between interfaces
From:	Hugo van der Kooij <hvdkooij AT VANDERKOOIJ DOT ORG>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 9 Apr 2007 08:31:13 +0200

On Sat, 7 Apr 2007, cisco4ng wrote:

you said:
"At present you make an assumption here based on what 2

routers do with BGP without the data to tell exactly what is going on.

You may very well be putting Check Point on the wrong foot by not
including the proper data."


My assumption is a very valid assumption.  By having iBGP with md5
authentication working across the CP firewall, it proved that the TCP
sequence number  was never randomized by the CP firewall, at least with
BGP traffics.  Otherwise, my iBGP would not have worked, as desmonstrated
by the link provided by Cisco.

You assume that it must break BGP. But that is not the way to stop BGP. Ifyou do not want BGP traffic then do not allow it in your rules. It is thatsimple.

BGP is known to be volatile with MD5 traffic. So the exception to BGPmight be there intentionaly. Did you test other traffic? And if you cannot document this with packet traces then you are not explaining thingsproperly. You have the setup so you can provide those traces in minutes.If you wait for someone else to build a setup you are not very efficient.

And as far as this thread goes. Untill now you did not tell us wether youare using NGX R65 or NGAI R55 or ....

So please be accurate on your report to a mailinglist.

Hugo.

--
        hvdkooij AT vanderkooij DOT org http://hugo.vanderkooij.org/
            This message is using 100% recycled electrons.

        Some men see computers as they are and say "Windows"
        I use computers with Linux and say "Why Windows?"
                (Thanks JFK, for the insight.)

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng Re: [FW-1] randomize tcp sequence number when traversing between interfaces, Rajeev Gupta Re: [FW-1] randomize tcp sequence number when traversing between interfaces, Hugo van der Kooij Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng Re: [FW-1] randomize tcp sequence number when traversing between interfaces, Rajeev Gupta Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng Re: [FW-1] randomize tcp sequence number when traversing between interfaces, Hugo van der Kooij <= Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng Re: [FW-1] randomize tcp sequence number when traversing between interfaces, Crist Clark Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng

Previous by Date:	[FW-1] Checkpoint drop packet after pushing policy, Lee, Gyu-Won
Next by Date:	Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng
Previous by Thread:	Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng
Next by Thread:	Re: [FW-1] randomize tcp sequence number when traversing between interfaces, cisco4ng
Indexes:	[Date] [Thread] [Top] [All Lists]