[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Help on redirect

To: Loc Nguyen <lnguyen@cendes.com>, Checkpoint FW-1 Mailing List <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: Re: [FW1] Help on redirect
From: Thai Duy Hoa <HoaTD@netnam.vn>
Date: Wed, 01 Sep 1999 09:41:12 +0700

Hi Loc

Case 1:
In your answer, i need to setup a static NAT, right?
But in our case, sometimes the mail server A.B.C.D
got a performance problem or we need to down it.
Both A.B.C.D and A'.B'.C'.D' is an official IP addr.
We have setup sendmail running on A'.B'.C'.D' and
sometime redirect all connections to A.B.C.D to
A'.B'.C'.D'. Remember that we only want to redirect smtp service,
not the whole IP addr.

Case 2:
The problem is
- we don't want our users realise that they are behind a proxy
- mayy users try to setup himself his browser
So we exactly need a transparent web proxy. We have deal
with IP-filter and it work well. So how about FW-1?



Loc Nguyen wrote:

> Hi Hoa,
>
> I am glad to see a Vietnamese handling firewall security.
>
> Case 1:
> In this case you need to setup a STATIC address translation for your SMTP
> mail server. I assume your SMTP mail server is an internal mail server and
> has an internal IP number of A'.B'.C'.D'. and its translated IP number
> (external) is A.B.C.D
> - Make sure network traffic destines to A.B.C.D is sent to the firewall
> if you have control of the router then setup static route for A.B.C.D to
> route to the firewall. If you do not have control of the router then setup
> proxy ARP for A.B.C.D)
> - Add static route on the firewall machine to forward A.B.C.D network
> traffic to A'.B'.C'.D'. On NT machine use this command:
>         route -p add A.B.C.D mask 255.255.255.255 A'B'C'D'
> - Create the following Network Address Translations (NATs)
> Original Packet         Translated Packet
> Src    Dst      Srv     Src             Dst             Srv
> Any    a.b.c.d  smtp    Original        a'.b'.c'.d'     Original
> a'.b'.c'.d' any smtp    a.b.c.d original        original
>
> Case 2:
> I assume that you want to implement proxy server to support all internal
> traffic to the Internet.
> If that is the case, I recommend your user to setup the browser's (Netscape
> or Internet Explore) proxy to a'.b'.c'.d' port 8081. Then you only need to
> create a security policy to only allow HTTP traffic from a'.b'.c'.d' proxy
> server to go to the Internet.
>
> I hope this help.
> If you have any more questions please e-mail me.
>
> Loc Nguyen
>
> -----Original Message-----
> From: HoaTD@netnam.vn [mailto:HoaTD@netnam.vn]
> Sent: Friday, August 27, 1999 8:53 PM
> To: Checkpoint FW-1 Mailing List
> Subject: [FW1] Help on redirect
>
> Hi list
>
> I am a newcomer to this list.
> The question is how can i do a redirect function with FW-1.
>
> Case #1
> Redirect all smtp request to a.b.c.d to smtp server on  a'.b'.c'.d'
> Original Packet         Translated Packet
> Src    Dst      Srv     Src             Dst             Srv
> Any    a.b.c.d  smtp    Original        a'.b'.c'.d'     Original
>
> Case #2
> Redirect all web request to Internet to a transparent proxy on
> a'.b'.c'.d' port 8081
> Original Packet                Translated Packet
> Src    Dst     Srv             Src      Dst             Srv
> Any    Any      80             Original a'.b'.c'.d'     8081
>
> Thanks for any reply
>
> Hoa
>
> --
>  _________________________________________________________________
> |  _|_|    _| _|_|_|_| _|_|_|_|_| _|_|    _|   _|_|   _|      _|  |
> |  _| _|   _| _|           _|     _| _|   _|  _|  _|  _|_|  _|_|  |
> |  _|  _|  _| _|_|_|_|     _|     _|  _|  _| _|_|_|_| _|  _|  _|  |
> |  _|   _| _| _|           _|     _|   _| _| _|    _| _|      _|  |
> |  _|    _|_| _|_|_|_|     _|     _|    _|_| _|    _| _|      _|  |
> |_________________________________________________________________|
> | NetNam - IOIT                 | Thai Duy Hoa                    |
> | Hoang Quoc Viet Str.          | Tel.: +84 (4)8346907 / 90416002 |
> | Cau Giay Dist.                | Fax.: +84 (4)7561888            |
> | Hanoi / Vietnam               | E-Mail: hoatd@netnam.vn         |
> |_______________________________|_________________________________|
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====

--
 _________________________________________________________________
|  _|_|    _| _|_|_|_| _|_|_|_|_| _|_|    _|   _|_|   _|      _|  |
|  _| _|   _| _|           _|     _| _|   _|  _|  _|  _|_|  _|_|  |
|  _|  _|  _| _|_|_|_|     _|     _|  _|  _| _|_|_|_| _|  _|  _|  |
|  _|   _| _| _|           _|     _|   _| _| _|    _| _|      _|  |
|  _|    _|_| _|_|_|_|     _|     _|    _|_| _|    _| _|      _|  |
|_________________________________________________________________|
| NetNam - IOIT                 | Thai Duy Hoa                    |
| Hoang Quoc Viet Str.          | Tel.: +84 (4)8346907 / 90416002 |
| Cau Giay Dist.                | Fax.: +84 (4)7561888            |
| Hanoi / Vietnam               | E-Mail: hoatd@netnam.vn         |
|_______________________________|_________________________________|




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] Alerts with alertf
Next by Date: RE: [FW1] Helo for CCSA Exam
Prev by thread: Re: [FW1] Alerts with alertf
Next by thread: Re: [FW1] Help on redirect
Index(es):
- Date
- Thread