Re: Need Help on Checkpoint Firewall NAT
From: Wolfgang Kueter (wolfgang_at_shconnect.de)
Date: Sun, 30 Jan 2005 13:24:54 +0000 (UTC)
> I am configuring two machines
> ComputerA - Checkpoint Firewall installed here
> I am setting 10.1.1.2 with Static NAT and hiding it behind 222.*.*.*
> I am trying to use ComputerB to perform regular web browsing but it
> does not work. I am able to ping from computerB to 222.*.*.*
> Any idea? Do I need to set up DNS Server for this?
Without functioning DNS Internet is not much fun.
> The only rule I set is from ComputerB to ANy, Http Accept.
> I am trying Hide mode and it did not work either.
You need some rules that allow the internal machine(s) to resolve host
names. This can be done by running an own (caching only) DNS Server, that
must be allowed to contact external DNS Servers or by allowing the
internal machines to contact external DNS servers.
The general approach to all firewalling/filtering is:
- Sit down with a piece of paper
- make up your mind about the policy by writing it down in a table
looking somthing like:
source destination service port/protocol allow log
LAN any http 80/tcp y n
LAN any https 443/tcp y n
LAN ISP DNS DNS 53/udp y n
LAN ISP MTA smtp 25/tcp y n
... ... .... ... y n
any any any any n y
After that implement thar ruleset into your filtering machine (whatever
you use). If something is not working it will for sure be caught by the
last rule (deny everything) and show up in the logfile. Watch the logfile
and maybe allow addional connections according to your requirements.
-- A foreign body and a foreign mind never welcome in the land of the blind from: 'Not one of us' (c) 1980 Peter Gabriel