Checkpoint FW-1, Solaris Routing, and Two ISPs

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Scott Dep » Tue, 19 Jun 2001 23:32:49



Hello,

I have FW-1 running on Solaris 7 with two Internet connections and two
DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
present time, I'm using 4 interfaces on a single firewall to route
between the 4 networks.  All routing is static and I'm unable to
undertake something more complex.  The configuration is not intended
to provide redundancy or load sharing.  It is simply meant to provide
separate services to two different groups of clients.

My question is the following...  Is there any way to force outgoing
traffic back down the same route that it entered?  I've discovered
that two default routes can be defined on the firewall but they are
used in a round robin fashion and my requirement is very strict that
outbound traffic must take the same path it entered.  I did try rules
on the firewall to block misdirected outbound traffic hoping the other
route would pick up but that didn't work as I expected.

Am I missing a way to achieve this or should I toss a few more $k at
this and deploy a second firewall?

Thanks!

Thanks!

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by mayer han » Wed, 20 Jun 2001 03:40:16


hi scott !

in the subject you speak about 2 isps.
if you have 2 isps, you can't do this with 2 default routes.

you have to look for your own c-class ip-range
( service provider independent ) if you havn't.
then you have to ask your isp's to rout your
network for example with bgp
( and of course you have to setup bgp in your fw-box )



>I have FW-1 running on Solaris 7 with two Internet connections and two
>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>present time, I'm using 4 interfaces on a single firewall to route
>between the 4 networks.  All routing is static and I'm unable to
>undertake something more complex.  The configuration is not intended
>to provide redundancy or load sharing.  It is simply meant to provide
>separate services to two different groups of clients.

>My question is the following...  Is there any way to force outgoing
>traffic back down the same route that it entered?  I've discovered
>that two default routes can be defined on the firewall but they are
>used in a round robin fashion and my requirement is very strict that
>outbound traffic must take the same path it entered.  I did try rules
>on the firewall to block misdirected outbound traffic hoping the other
>route would pick up but that didn't work as I expected.

--
best regards from vienna           |  
hans                               |   mayer (at) relay.bfl.at_SPAM

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by hal » Wed, 20 Jun 2001 02:50:18




>Hello,

>I have FW-1 running on Solaris 7 with two Internet connections and two
>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>present time, I'm using 4 interfaces on a single firewall to route
>between the 4 networks.  All routing is static and I'm unable to
>undertake something more complex.  The configuration is not intended
>to provide redundancy or load sharing.  It is simply meant to provide
>separate services to two different groups of clients.

>My question is the following...  Is there any way to force outgoing
>traffic back down the same route that it entered?  I've discovered
>that two default routes can be defined on the firewall but they are
>used in a round robin fashion and my requirement is very strict that
>outbound traffic must take the same path it entered.  I did try rules
>on the firewall to block misdirected outbound traffic hoping the other
>route would pick up but that didn't work as I expected.

>Am I missing a way to achieve this or should I toss a few more $k at
>this and deploy a second firewall?

>Thanks!

>Thanks!


Scott, I would think that you really should be doing something with
BGP external to your firewall.  Get a Cisco and a BGP AS from your
providers and let your gateway router do the load balancing and
dynamic routing.  Put your firewall with one interface set to default
route to your BGP router.

Hal

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Barry Margoli » Wed, 20 Jun 2001 05:00:11





>>Hello,

>>I have FW-1 running on Solaris 7 with two Internet connections and two
>>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>>present time, I'm using 4 interfaces on a single firewall to route
>>between the 4 networks.  All routing is static and I'm unable to
>>undertake something more complex.  The configuration is not intended
>>to provide redundancy or load sharing.  It is simply meant to provide
>>separate services to two different groups of clients.

>>My question is the following...  Is there any way to force outgoing
>>traffic back down the same route that it entered?  I've discovered
>>that two default routes can be defined on the firewall but they are
>>used in a round robin fashion and my requirement is very strict that
>>outbound traffic must take the same path it entered.  I did try rules
>>on the firewall to block misdirected outbound traffic hoping the other
>>route would pick up but that didn't work as I expected.

>>Am I missing a way to achieve this or should I toss a few more $k at
>>this and deploy a second firewall?

>Scott, I would think that you really should be doing something with
>BGP external to your firewall.  Get a Cisco and a BGP AS from your
>providers and let your gateway router do the load balancing and
>dynamic routing.  Put your firewall with one interface set to default
>route to your BGP router.

I don't see how BGP would solve this problem.

What he needs is routing based on source addresses.  I don't think this can
be done with Firewall-1, but it can be done with a Cisco router.  If you
connect both Internet connections to the same Cisco router, you can use
Cisco's "policy routing" feature to select the ISP interface based on the
source address.

--

Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Marc » Wed, 20 Jun 2001 09:36:06


As FW-1 passes the packet on to the OS for the actual routing of the packet,
this is quite hard to do...

So what you really need is policy based routing as per Cisco IOS.
I saw a post somewhere which suggested that the Gated routing daemon can
do this, dunno if it's true!

Another possiblity might be to NAT the source addresses in your routers as
the packets come in, then you will have 2 known and distinct address ranges
coming in from each ISP. And you can use the standard routing table in
solaris
to reply out the required interface.

Marc


> Hello,

> I have FW-1 running on Solaris 7 with two Internet connections and two
> DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
> present time, I'm using 4 interfaces on a single firewall to route
> between the 4 networks.  All routing is static and I'm unable to
> undertake something more complex.  The configuration is not intended
> to provide redundancy or load sharing.  It is simply meant to provide
> separate services to two different groups of clients.

> My question is the following...  Is there any way to force outgoing
> traffic back down the same route that it entered?  I've discovered
> that two default routes can be defined on the firewall but they are
> used in a round robin fashion and my requirement is very strict that
> outbound traffic must take the same path it entered.  I did try rules
> on the firewall to block misdirected outbound traffic hoping the other
> route would pick up but that didn't work as I expected.

> Am I missing a way to achieve this or should I toss a few more $k at
> this and deploy a second firewall?

> Thanks!

> Thanks!


 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Scott Dep » Wed, 20 Jun 2001 20:52:01


I'd love to learn about and configure BGP but neither of my ISPs do
anything with it and my guess it that buying a second firewall would
be far cheaper than getting into this.

Again, I have an absolute requirement that packets must leave on the
same wire they came in on.  Primarily because one of my ISPs has
spoofing detection in place and packets that are "not supposed to be"
on the wire are dropped.

I'm at the point of configuring policy/source routing on one of my two
Cisco routers.  I only have control over one of them.  Actually, I was
first trying to configure this routing using an Extreme switch but
that isn't working out.






>>>Hello,

>>>I have FW-1 running on Solaris 7 with two Internet connections and two
>>>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>>>present time, I'm using 4 interfaces on a single firewall to route
>>>between the 4 networks.  All routing is static and I'm unable to
>>>undertake something more complex.  The configuration is not intended
>>>to provide redundancy or load sharing.  It is simply meant to provide
>>>separate services to two different groups of clients.

>>>My question is the following...  Is there any way to force outgoing
>>>traffic back down the same route that it entered?  I've discovered
>>>that two default routes can be defined on the firewall but they are
>>>used in a round robin fashion and my requirement is very strict that
>>>outbound traffic must take the same path it entered.  I did try rules
>>>on the firewall to block misdirected outbound traffic hoping the other
>>>route would pick up but that didn't work as I expected.

>>>Am I missing a way to achieve this or should I toss a few more $k at
>>>this and deploy a second firewall?

>>Scott, I would think that you really should be doing something with
>>BGP external to your firewall.  Get a Cisco and a BGP AS from your
>>providers and let your gateway router do the load balancing and
>>dynamic routing.  Put your firewall with one interface set to default
>>route to your BGP router.

>I don't see how BGP would solve this problem.

>What he needs is routing based on source addresses.  I don't think this can
>be done with Firewall-1, but it can be done with a Cisco router.  If you
>connect both Internet connections to the same Cisco router, you can use
>Cisco's "policy routing" feature to select the ISP interface based on the
>source address.

>--

>Genuity, Burlington, MA
>*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
>Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Thanks!

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by mayer han » Thu, 21 Jun 2001 02:38:09




>I'd love to learn about and configure BGP but neither of my ISPs do
>anything with it and my guess it that buying a second firewall would

                                       ========================

would this solve your problem ?
no ! anywhere you have a place, where you don't know, how to route.

--
best regards from vienna           |  
hans                               |   mayer (at) relay.bfl.at_SPAM

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Steve Ka » Thu, 21 Jun 2001 05:09:35


Scott,

Wondered if the /etc/system tunable below helps?

Steve

ip_strict_dst_multihoming and ip6_strict_dst_multihoming
Description
Determine whether a packet arriving on a non-forwarding interface can be
accepted for an IP address that is not explicitly configured on that
interface. If ip_forwarding is enabled, or xxx:ip_forwarding for the
appropriate interfaces is enabled, then this parameter is ignored, because
the packet is actually forwarded.

Refer to RFC 1122 3.3.2.4.

Default
0 (loose multihoming)

Range
0 = Off (loose multihoming)

1 = On (strict multihoming)

Dynamic?
Yes

When to Change
If a machine has interfaces that cross strict networking domains (for
example, a firewall or a VPN node), set this variable to 1.

Commitment Level
Unstable


> I'd love to learn about and configure BGP but neither of my ISPs do
> anything with it and my guess it that buying a second firewall would
> be far cheaper than getting into this.

> Again, I have an absolute requirement that packets must leave on the
> same wire they came in on.  Primarily because one of my ISPs has
> spoofing detection in place and packets that are "not supposed to be"
> on the wire are dropped.

> I'm at the point of configuring policy/source routing on one of my two
> Cisco routers.  I only have control over one of them.  Actually, I was
> first trying to configure this routing using an Extreme switch but
> that isn't working out.






> >>>Hello,

> >>>I have FW-1 running on Solaris 7 with two Internet connections and two
> >>>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
> >>>present time, I'm using 4 interfaces on a single firewall to route
> >>>between the 4 networks.  All routing is static and I'm unable to
> >>>undertake something more complex.  The configuration is not intended
> >>>to provide redundancy or load sharing.  It is simply meant to provide
> >>>separate services to two different groups of clients.

> >>>My question is the following...  Is there any way to force outgoing
> >>>traffic back down the same route that it entered?  I've discovered
> >>>that two default routes can be defined on the firewall but they are
> >>>used in a round robin fashion and my requirement is very strict that
> >>>outbound traffic must take the same path it entered.  I did try rules
> >>>on the firewall to block misdirected outbound traffic hoping the other
> >>>route would pick up but that didn't work as I expected.

> >>>Am I missing a way to achieve this or should I toss a few more $k at
> >>>this and deploy a second firewall?

> >>Scott, I would think that you really should be doing something with
> >>BGP external to your firewall.  Get a Cisco and a BGP AS from your
> >>providers and let your gateway router do the load balancing and
> >>dynamic routing.  Put your firewall with one interface set to default
> >>route to your BGP router.

> >I don't see how BGP would solve this problem.

> >What he needs is routing based on source addresses.  I don't think this
can
> >be done with Firewall-1, but it can be done with a Cisco router.  If you
> >connect both Internet connections to the same Cisco router, you can use
> >Cisco's "policy routing" feature to select the ISP interface based on the
> >source address.

> >--

> >Genuity, Burlington, MA
> >*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to
newsgroups.
> >Please DON'T copy followups to me -- I'll assume it wasn't posted to the
group.

> Thanks!


 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Barry Margoli » Thu, 21 Jun 2001 23:41:52




>Scott,

>Wondered if the /etc/system tunable below helps?

>Steve

>ip_strict_dst_multihoming and ip6_strict_dst_multihoming
>Description
>Determine whether a packet arriving on a non-forwarding interface can be
>accepted for an IP address that is not explicitly configured on that
>interface.

I don't think this is relevant.  It affects how *incoming* packets are
processed, but not how outgoing packets are routed.

--

Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Checkpoint FW-1, Solaris Routing, and Two ISPs

Post by Not M » Thu, 28 Jun 2001 07:00:52


Hello,

The short answer is, there is no right way you can do this.  The
correct solution is as someone suggests, BGP, an ASN, portable IP
addresses.

What you have today will NOT work.  I suspect that you have 2 blocks
of IP addresses, one from each provider?

The easiest solution is to buy a second Firewall, the best solution is
to use BGP, ASN and portable addresses.  This would also give you a
level of redundancy and load sharing...



>Hello,

>I have FW-1 running on Solaris 7 with two Internet connections and two
>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>present time, I'm using 4 interfaces on a single firewall to route
>between the 4 networks.  All routing is static and I'm unable to
>undertake something more complex.  The configuration is not intended
>to provide redundancy or load sharing.  It is simply meant to provide
>separate services to two different groups of clients.

>My question is the following...  Is there any way to force outgoing
>traffic back down the same route that it entered?  I've discovered
>that two default routes can be defined on the firewall but they are
>used in a round robin fashion and my requirement is very strict that
>outbound traffic must take the same path it entered.  I did try rules
>on the firewall to block misdirected outbound traffic hoping the other
>route would pick up but that didn't work as I expected.

>Am I missing a way to achieve this or should I toss a few more $k at
>this and deploy a second firewall?

>Thanks!

>Thanks!


______________________________________________________________________
Posted Via Uncensored-News.Com - Still Only $9.95 - http://www.uncensored-news.com
   With Seven Servers In California And Texas - The Worlds Uncensored News Source
 
 
 

1. checkpoint fw-1 usable scripts available !

hi all firewall admin !

there are 2 scripts, which i find very useful, look at:

ftp://ftp.bfl.at/pub/firewall

this scripts are only useful for admins, who
work with checkpoints firewall-1 version 2 or 3

fwrules.pl converts the rule-base-file ( *.W )
into human easy readable form.
( each rule per line )

fwobjects makes the objects.C readable.

both require perl version 5


======================================================================
usage: fwobjects { --all | --network-objects [--tn=type-list] |
                  --properties | --service-objects [--ts=type-list] }
                 [ --diff ] object_description_file

       fwobjects --help

       All options may be appreviated. Example: The command
          'fwobjects -n -tn=host objects.C'
       prints all network objects of type host.

       --all: List all objects (network objects, service objects and properties)
       --diff: Create report usable by the diff command

       type-list: comma-separated list of network object types or
                  service object types

       Network Object Types: domain, gateway, group, host, logical,
                             network, router, switch

       Service Object Types: group, icmp, other, rpc, tcp, udp

2. Debian "unstable" - where is ncurses3.4 & libreadlineg2

3. VPN connection to a CheckPoint Firewall / FW-1

4. script errors

5. FW-1 vs Checkpoint opinions wanted

6. How to rebuild the database for "locate"?

7. Linux and Checkpoint FW-1

8. Q: How to do graphic adapter port I/O?

9. connecting to a VPN behiind CheckPoint FW-1

10. commercial firewall advice (checkpoint FW-1 under Linux?)

11. CHeckpoint FW-1 Trial version

12. telnetd on FW-1 checkpoint

13. Routing with FW-1 v3.0 and Solaris 2.6