[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Help on redirect

To: Stuart Henderson <stuart@eclipse.net.uk>, Checkpoint FW-1 Mailing List <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: Re: [FW1] Help on redirect
From: Thai Duy Hoa <HoaTD@netnam.vn>
Date: Sat, 04 Sep 1999 11:58:45 +0700


Hi,

Note that in both cases, FW-1 did'nt work.
In case #2, the transparent proxy split the
destination  addr (in GET http method) so
i think it should work, but it couldn't.


Stuart Henderson wrote:

> > Case #1
> > Redirect all smtp request to a.b.c.d to smtp server on  a'.b'.c'.d'
> > Original Packet         Translated Packet
> > Src    Dst      Srv     Src             Dst             Srv
> > Any    a.b.c.d  smtp    Original        a'.b'.c'.d'     Original
>
> Yes, that should work, although you may have to take care with
> the anti-spoofing rules (check the logs if things aren't getting
> through, specifically look for anything blocked with ruleset 0).
>
> > Case #2
> > Redirect all web request to Internet to a transparent proxy on
> > a'.b'.c'.d' port 8081
> > Original Packet                Translated Packet
> > Src    Dst     Srv             Src      Dst             Srv
> > Any    Any      80             Original a'.b'.c'.d'     8081
>
> You can't do this with FW-1. The TCP packet received at the proxy
> must contain the original destination address, otherwise it won't
> know where to send it. I think you can do this with the software
> on some Ciscos (but we don't use cisco here, so I can't give you
> any advice) or using the proxy as a tcp/ip gateway and have that
> forward non-port-80 traffic on to the normal router.
>
> Stuart

--
 _________________________________________________________________
|  _|_|    _| _|_|_|_| _|_|_|_|_| _|_|    _|   _|_|   _|      _|  |
|  _| _|   _| _|           _|     _| _|   _|  _|  _|  _|_|  _|_|  |
|  _|  _|  _| _|_|_|_|     _|     _|  _|  _| _|_|_|_| _|  _|  _|  |
|  _|   _| _| _|           _|     _|   _| _| _|    _| _|      _|  |
|  _|    _|_| _|_|_|_|     _|     _|    _|_| _|    _| _|      _|  |
|_________________________________________________________________|
| NetNam - IOIT                 | Thai Duy Hoa                    |
| Hoang Quoc Viet Str.          | Tel.: +84 (4)8346907 / 90416002 |
| Cau Giay Dist.                | Fax.: +84 (4)7561888            |
| Hanoi / Vietnam               | E-Mail: hoatd@netnam.vn         |
|_______________________________|_________________________________|




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] hole in secure-remote VPN client?
Next by Date: Re: [FW1] Firewall-1 and DHCP (cable modem)
Prev by thread: Re: [FW1] Help on redirect
Next by thread: RE: [FW1] Helo for CCSA Exam
Index(es):
- Date
- Thread