Is this on an NT server? If so, IP forewarding opens up a large hole inside
any security perimeter. Although I am not familiar enough with Checkpoint
to know how it intercepts packets, I am surprised that they say that
forewarding must be active. Even Microsoft states that when using thier MS
proxy server, that IP forewarding MUST be disabled.
From: Kunal Choudhary [SMTP:kunalc @
Sent: Tuesday, February 03, 1998 8:01 AM
To: Firewalls @
Subject: Re: Firewalls-Digest V7 #51
I've been told by Checkpoint support that v3.0b needs ip forwarding
turned on at the bastion host to work. The assure me that this is
completely safe, since the firewall inspects all packets anyway. I find
this surprising, esp considering that v2.1 never required this. Any
feedback will be appreciated.