>Is this on an NT server? If so, IP forewarding opens up a large hole inside
>any security perimeter. Although I am not familiar enough with Checkpoint
>to know how it intercepts packets, I am surprised that they say that
>forewarding must be active. Even Microsoft states that when using thier MS
>proxy server, that IP forewarding MUST be disabled.
under version 3.x of FW-1 on NT, IP forwarding must be enabled. That makes
the NT server think it's enough of a router to be able to pass packets
between two networks. When you install FW-1, you are asked whether you
want FW-1 to control routing...the answer is absolutely _yes_. This
disables NT routing when the firewall inspection module is not actually
running, as I understand it. So somebody does and 'fwstop', routing stops.
All packets are passed through the inspection engine.