June 5th, 2003, 10:10 PM
June 5th, 2003, 10:24 PM
If I remember (haven`t been near checkpoint for a while thought) if you apply a hide NAT rule to a network then the NAT rule will apply whenever traffic leaves that network, so you are always going to see traffic from the LAN to DMZ orginating from one IP Address.
However a way around this would first be to prevent the internal LAn from accessing the machines in the DMZ, as this is often not required (usually only Admins are going to access the DMZ boxes). Then set up individual access rules for Admins depending on which boxes they need to access - i.e. you webserver admin can access the web server etc.. and set up rules for each of those, which will make it easy to track what goes into your DMZ from the LAN.
Everyone else just needs access to the internet (assuming you want to give them it) and not the DMZ.
It might be useful if you could provide some more details on your network, size etc... to see if this is going to be viable.
Although come to think of it do you even need to use NAT between the DMZ and the LAN? couldn`t you just set up the appropriate Routes, set up the objects in the firewall and allow straight access between the two segments? (if you want everyone on the LAn to access the DMZ that is).
Quis custodiet ipsos custodes
June 5th, 2003, 10:55 PM
Have you checked out phoneboys webpage...I find that this is the number 1 source for all Checkpoint related problems....
and his new upcoming site:
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
June 11th, 2003, 04:18 AM
what i've done in the past by policy is that internal address is not allowed but admins would have static route to the DMZ zone. checkout icsalab for firewall wizards list, lot of nokia sage members there
June 11th, 2003, 04:46 AM
Thanks for all the help, but nothing I have tried so far has worked (ok, I haven't really had enough quality time to sit down and tackle this head-on yet), but here are my thoughts-->
1) Unfortunately I have more than a few services running in the DMZ that both LAN and WAN users need access to (mailgateways, web apps, etc). Really, all my LAN users have the same basic access to the boxes in the DMZ that they do to the internet (http, https, smtp, etc.).
2) There are static routes set from thr LAN to the DMZ on the Nokia router, but if I do not set some sort of NAT rules on the LAN object in the dashboard I get no internet connectivity for my LAN at all. I've tried using both hide and static, and setting up my own NAT rules in the dashboard, but none have the effect I want (which is to not NAT LAN to DMZ traffic). If I apply NAT to the LAN object, it NATs the traffic no matter what its desitnation, hiding behind whatever interface it leaves, instead of hiding behind selective interfaces. Maybe I'm just not looking deep enough into this.
3) In iptables I was able to set my NAT rules based on post-routing packet mangling, meaning that the firewall did not apply the address translation until routing decisions had been made and the packet was leaving a specific interface. With this I could make a rule that said something like the following "only NAT traffic leaving the WAN interface (eth-whatever), despite its source." I'd like to do the same with Checkpoint, but as far as I can see, NAT rules apply to objects, be those objects networks or hosts. The NAT rules do not seem to apply to interfaces. It should be very simply to write a rule that says, "If traffic goes from the LAN to the DMZ, don't apply NAT and route it regularly. If it goes from the LAN to the WAN, then go ahead and apply NAT." But I can't figure out how the heck to do that yet. I'll admit: I'm pretty green with Checkpoint, but in truth, I'm missing the good old days of iptable scripting. I'm beginning to hate this Dashboard GUI.
4) Like I stated earlier, my firewall runs perfectly well as a firewall. I don't want to change my firewall policy. I wan't to change the behavior of NAT since my current NAT rules are screwing with my IDS. Because of this NAT problem I am either getting 2 alerts (one from the true source, and then one from the same source with a NATted address), or I am getting all my alerts coming from the same NATted address. I'd hate to not be able to monitor LAN to DMZ traffic, or to have to deal with double alerts for every alert an internal host sets off.
Thanks for all the help thus far guys.
June 11th, 2003, 03:47 PM
tolstoy, it's almost a year I saw such a firewall from close but I think it works as follows:
checkpoint rules are checked in db order therefor you can limit the NAT to a certain eth interface. You should set the internal network rule first (not to do a NAT when going to DMZ).
Let's say 'net-a' is a group with your internal net and your dmz, set this to be source: net-a destination: net-a service: any (for the original)
set translated to:
source: Orig, destination: Orig, service: Orig
Then you should add a second rule to NAT your net-a traffic to WAN interface otherwise you will lose all internet connectivity.
June 11th, 2003, 10:27 PM
Thanks Vic, worked like a charm. I had thought to take rule precidence into account, but I never thought to make a NAT rule that actually specified no NAT at all. Like you suggested, my top-most rule specfies source=orig, orig=dest (no translation) and my bottom-most rules are Checkpoint generated (by using their hide mode). Awesome. Thank you.