Processing d'un packet dans CheckPoint :

  1. Vérification que la connexion est déjà établie (dans la connections table).
  2. Vérification des options IP => si denied il sera vu dans les logs en "drop on Rule 0".
  3. Vérification de l'antispoofing sur l'interface externe => si denied il sera vu dans les logs en "drop on Rule 0", le remote receverra un message "connection timed out".
  4. Vérification de la base de régles.
  5. Passage dans l'OS pour le routage.
  6. Vérification de l'antispoofing sur l'interface interne => si denied il sera vu dans les logs en "drop on Rule 0", le remote receverra un reset et l'aaplication affichera un message "connection refused".
  7. Vérification de la base de régles (elles sont vérifiées en Inbound et en Outbound).
  8. Passage dans le process de NAT.
  9. Le packet est envoyé à l'hôte de destination.

 

Gestion de policy lors de NAT :

L'ordre de passage :

Rulebase policy => NAT

Avoir à l'esprit qu'on autorise l'adresse entrante dans le firewall et après on fait le NAT.

- Visualisation sur un firewall les différents moteurs traversés :

firewall_sans_vpn# fw ctl chain
in chain (11):
        0: -7f800000 (65b58540) (ffffffff) IP Options Strip (in) (ipopt_strip)
        1: - 1fffff6 (65b599f8) (00000001) Stateless verifications (in) (asm)
        2: - 1000000 (65b98e80) (00000003) SecureXL conn sync (secxl_sync)
        3:         0 (65b150e8) (00000001) fw VM inbound  (fw)
        4:         1 (65b6da48) (00000002) wire VM inbound  (wire_vm)
        5:  10000000 (65b9c8c0) (00000003) SecureXL inbound (secxl)
        6:  7f600000 (65b50d10) (00000001) fw SCV inbound (scv)
        7:  7f730000 (65c4b8e4) (00000001) passive streaming (in) (pass_str)
        8:  7f750000 (65cf5e2c) (00000001) TCP streaming (in) (cpas)
        9:  7f800000 (65b58850) (ffffffff) IP Options Restore (in) (ipopt_res)
        10:  7fb00000 (65cc9608) (00000001) HA Forwarding (ha_for)
out chain (9):
        0: -7f800000 (65b58540) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: - 1fffff0 (65cf5fb0) (00000001) TCP streaming (out) (cpas)
        2: - 1ffff50 (65c4b8e4) (00000001) passive streaming (out) (pass_str)
        3: - 1f00000 (65b599f8) (00000001) Stateless verifications (out) (asm)
        4:         0 (65b150e8) (00000001) fw VM outbound (fw)
        5:         1 (65b6da48) (00000002) wire VM outbound  (wire_vm)
        6:  10000000 (65b9c8c0) (00000003) SecureXL outbound (secxl)
        7:  7f700000 (65cf5594) (00000001) TCP streaming post VM (cpas)
        8:  7f800000 (65b58850) (ffffffff) IP Options Restore (out) (ipopt_res)

Avec un fw monitor en cours

firewall_sans_vpn# fw ctl chain
in chain (13):
        0: -7f800000 (65b5f540) (ffffffff) IP Options Strip (in) (ipopt_strip)
        1: -70000000 (65b43f58) (ffffffff) fwmonitor (i/f side)
        2: - 1fffff6 (65b609f8) (00000001) Stateless verifications (in) (asm)
        3: - 1000000 (65b9fe80) (00000003) SecureXL conn sync (secxl_sync)
        4:         0 (65b1c0e8) (00000001) fw VM inbound  (fw)
        5:         1 (65b74a48) (00000002) wire VM inbound  (wire_vm)
        6:  10000000 (65ba38c0) (00000003) SecureXL inbound (secxl)
        7:  70000000 (65b43f58) (ffffffff) fwmonitor (IP  side)
        8:  7f600000 (65b57d10) (00000001) fw SCV inbound (scv)
        9:  7f730000 (65c528e4) (00000001) passive streaming (in) (pass_str)
        10:  7f750000 (65cfce2c) (00000001) TCP streaming (in) (cpas)
        11:  7f800000 (65b5f850) (ffffffff) IP Options Restore (in) (ipopt_res)
        12:  7fb00000 (65cd0608) (00000001) HA Forwarding (ha_for)
out chain (11):
        0: -7f800000 (65b5f540) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -70000000 (65b43f58) (ffffffff) fwmonitor (i/f side)
        2: - 1fffff0 (65cfcfb0) (00000001) TCP streaming (out) (cpas)
        3: - 1ffff50 (65c528e4) (00000001) passive streaming (out) (pass_str)
        4: - 1f00000 (65b609f8) (00000001) Stateless verifications (out) (asm)
        5:         0 (65b1c0e8) (00000001) fw VM outbound (fw)
        6:         1 (65b74a48) (00000002) wire VM outbound  (wire_vm)
        7:  10000000 (65ba38c0) (00000003) SecureXL outbound (secxl)
        8:  70000000 (65b43f58) (ffffffff) fwmonitor (IP side)
        9:  7f700000 (65cfc594) (00000001) TCP streaming post VM (cpas)
        10:  7f800000 (65b5f850) (ffffffff) IP Options Restore (out) (ipopt_res)

- Version schéma
fw_chain_overview

Annexes

How does Network Address Translation (NAT) work in VPN-1/FireWall-1 NG