David Helms/CheckPoint wrote:
> Have you thought about using gated instead of routed to handle the
> David Helms/CheckPoin
"gated" doesn't solve the problem. There is a bug in Solaris that doesn't
allow variable-length subnet masking as used by ospf.
"egp" is routed fine with firewall-1 and Solaris.
To fix the bug and allow variable-length subnet masks you have to pay
for. SUN has an "Consulting Special" named CONSULT-VLSM which allows
variable subnetmasks under Solaris 2.5 .
You will get info about this "special" via an autoresponder.
Send mail to: consult-info @
Body: send vlsm
So SUN is causing the trouble not CheckPoint.
How to get HEALTHY & WEALTHY
> Ryan Russell/SYBASE wrote:
> > One of my complaints about firewall-1 (on Sun's at least,
> > the only place I've used it..) is that it relies on the routing software
> > built into Solaris, which IMHO, sucks. (So sue me, I'm used to Ciscos.)
> > It is basically only RIP aware, and doesn't allow for things like
> > variable-length subnet masking..
> > So this means that you can expect problem trying to do anything
> > beyond simple route setups, and I'm not surprised that the
> > various support people don't know what goes on, since Checkpoint
> > appears to have given that responsibility over to the OS.
> > If there are any experts out there on using Solaris machines as routers, and
> > I'm wrong, please enlighten me.
> > Ryan
> > ---------- Previous Message ----------
> > To: firewalls
> > cc:
> > From: dmurray @ camtech.com.au (David Murray) @ smtp
> > Date: 11/14/96 12:37:22 PM
> > Subject: FW-1 documentation mistake.
> > Just a note to let you FW-1 people know that the documentation in the
> > Firewall-1 Architecture and Administration booklet is wrong.
> > If you go to section 3, Address translation, pg 15 you will see a FAQ on
> > why you can't ping translated addresses. They tell you the solution is to add
> > a static route from the legal(translated) address to the internal interface.
> > This does not work. What it means is follows.
> > Internet
> > -------- 22.214.171.124---------- 10.1.1.1 | DMZ
> > | Router|-----------------| FW-1 |------------| -------
> > --------126.96.36.199 ---------- |-----|Mail | 10.1.1.2
> > | -------
> > In this case, the internal network is being translated from 10.1.1.0 to
> > 188.8.131.52 Lets say the mail server is being translated from 10.1.1.2 to the
> > legal address 184.108.40.206 on the FW-1 using fwxlconf.
> > According to the documentation to make the FW-1 correctly pass the translated
> > addresses through to the internal net we are to add a static route as follows:
> > route add 220.127.116.11 10.1.1.1
> > This tells it to route that address to the internal interface which gets it and
> > drops it.
> > The correct way is to route the legal address to the illegal translated address
> > of the Mail server. i.e
> > route add 18.104.22.168 10.1.1.2.
> > This works, much to the suprise of checkpoint and the tech support reps.
> > comments checkpoint?
> > Dave.
> > __________________________________________________________________________
> > David Murray Phone: +61 8 8303 3300
> > Systems Engineer Fax: +61 8 8303 4403
> > Camtech (S.A.) Pty. Ltd. Email: dmurray @
> > WWW: www.camtech.com.au
> > PO Box 128,
> > Rundle Mall, Adelaide SA 5000, 8th Floor, 10 Pulteney Street,
> > Australia. Adelaide, Australia.
> > ___________________________________________________________________________
> David Helms
> Senior Technical Consultant
> CheckPoint Software Technologies
> ph 703.684.4824
> fx 703.684.4847
> davidh @