[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] too many hosts/ how is it calculated

To: Thomas Michaux <Thomas.Michaux@cfr.net>, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] too many hosts/ how is it calculated
From: Ernest VERDIER <Ernest.VERDIER@neurocom.com>
Date: Thu, 29 Apr 1999 13:41:08 +0200


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  104 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


Tomas,

Here's an explanation, thanks to Dameon D. Welch
 www.phoneboy.com/fw1

-----------------------
How does FireWall-1 enforce user/node limits on the FireWall-1/n (e.g.
Single Gateway) products?

A:

FireWall-1 listens for any IP-based traffic on all interfaces but the one
deemed "external" (decided by the user and listed

in $FWDIR/conf/external.if). Anytime it hears hosts talking to each other
with IP on non-external interfaces, it notes the

IP addresses of the machines (In $FWDIR/database/fwd.h). Once FireWall-1
has heard 'n' IP's (plus a 10% fudge
factor), connections from the 'n+1' hosts will generate emails to root
and messages to syslog or the event viewer.

So what are the implications of this? Anything behind your firewall with
an IP address will eventually be found out about.

This includes non-computer things like printers, coffee makers, etc.
Anything with an IP address that talks on your LAN
will be heard. Eventually. Also, machines with multiple IP addresses will
most likely be counted more than once. Things
that don't talk TCP/IP should not be counted at all. Machines talking
only AppleTalk, IPX, NetBEUI, etc, should not be
counted. Since FireWall-1 only looks for IP traffic, it should safely
ignore these machines.

When the license is exceeded by a large number of hosts on a busy
network, FireWall-1 will consume itself with logging
and mailing out messages about exceeding your license. In many cases,
this will cause the firewall to process traffic very

slowly, if at all.

There are plenty ways to "fake out" the license. For example, hide
machines behind a choke router, a switch, a proxy
server, or another FireWall-1 box. Whether or not Check Point or your
FireWall-1 reseller would approve of this (and
whether or not this is in violation of the license agreement) is another
matter.


(C)1998 Dameon D. Welch, All Rights Reserved.
Your corrections, suggestions, and submissions are welcome. Email to
fw1@phoneboy.com.

> -----Message d'origine-----
> De: Thomas Michaux [mailto:Thomas.Michaux@cfr.net]
> Date: Thursday, April 29, 1999 12:31 PM
> À: fw-1-mailinglist@lists.us.checkpoint.com
> Objet: [FW1] too many hosts/ how is it calculated
>
>
>
> Hello,
>
> Does anybody can explain me how FW1 detects the number of protected
> hosts because we have a lot of problems : when we count all
> the physical
> devices (interfaces) in our LAN it seems ok but FW1 still
> send "too many
> hosts" warning.
>
> I suppose the number of hosts is based on the ARP table, but
> it's still
> not clear to me...
>
>
> Thanks in advance,
>
> Thomas Michaux.
>
> (sorry, no time to check the digest...)
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>

Prev by Date: [FW1] too many hosts/ how is it calculated
Next by Date: [FW1] FW1 and vlans (802.1q)
Prev by thread: [FW1] too many hosts/ how is it calculated
Next by thread: Re: [FW1] too many hosts/ how is it calculated
Index(es):
- Date
- Thread