| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
![]() |
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
| |||
| Hi there How does one configure the checkpoint firewall to route for eg smtp traffic out to a certain interface only. I know Checkpoint on the rule base has only permit , deny , traffic classification. But there is no where, to specify on what interface the traffic should go out or come in Please help |
| |||
| Check Point doesn't do (or really care about) routing. That's up to the OS. Check Point enforces policy in terms of what is allowed, not how to route it. You'll need to look into what's possible with whatever OS your firewall is running on. |
| |||
| Policy routing based on source IP can be done on SmartPlatform, however, Check Point provide no support for doing this so you need to figure out how from Linux documentation and manually issue the appropriate commands in rc.local. Any policy routing that would require tagged packets is not possible on SPLAT because NetFilter is not installed. |
| |||
| I've asked about this on Nokia IPSO and was told that it wasn't supported - by IP address, so I would assume that it certainly wouldn't do so based on protocol. If you're trying to get SMTP to route one direction, you might put a relay server in a DMZ and have your internal SMTP servers point to it. Just a thought, this might not cover what you're trying to do. |
| |||
| If your platform is Linux (including Crossbeam/Resilience/SecurePlatform/Redhat...), you can do whatever you want, for Linux support advaned routing, so you can configure the Policy-Based routing using 'ip rule' and 'ip route', good luck! |
| |||
| The way to do this is with the use of all of the policy including NAT and a little bit of what is called in the Cisco world PAT. Since you are only asking tcp port 25 (SMTP) to go out the other interface you will need to set up a NAT rule before you overload traffic. on the Original Packet Side: Source: the network, group or host Destination: you can set as any (if you do this you may need to build a no nat between your own networks rule prior to this) Service: SMTP (TCP 25) Translated Packet Side: Source: the ip nat ip you want all smtp traffic coming from (has to be on the inteface side you want traffic to go out) Destination: any Service: SMTP After that you will need a rule allowing traffic outbound you will then most likely want to reverse this for incoming traffic and set your mx to the nat ip you specified above. If you this isn't clear enough please let me know and I can give examples! |
| |||
| Quote:
|
| |||
| you are correct, you will either need to at a static route for the host (mail server) or add 2 equal cost default routes out if you are hiding networks. Through use of NAT you can get the traffic to route back correctly. In our case we use dynamic routing (OSPF) between the border routers and the nokia firewalls in area 2 and OSPF internal as well internal in backbone area 0 Although your internal routing table can either be static as well. |
| |||
| equal cost default routes is going to do load sharing for all traffic - it's not going to achieve the stated goal of routing SMTP traffic via one interface only. If you want to ensure certain traffic doesn't swamp other traffic, it's probably better to achieve it with a traffic management solution - e.g Packeteer, Floodgate. |
| |||
| U need source based routing either on the firewall or u can use a router between Firewall and internet that can deal with that. If u use linux/SPLAT/UTM heres a way to get it done. Not written by me, but i tested it and it works. RouterA || RouterB 1.1.1.2 || 1.1.1.3 || Fw-ext-ip(1.1.1.1) Firewall==================DMZ(192.168.0.0/24) Fw-int-ip(10.0.0.1/24) We assume that the default gw to RouterA. route add default gw 1.1.1.2 Now we will define policy based routing. We need to define a Table ID and an alias for it. Defining Alias: ================= Edit /etc/iproute2/rt_tables file. As you see below we have added ID 23 to alias adsl. #more rt_tables # # reserved values # #255 local #254 main #253 default #0 unspec # # local # #1 inr.ruhep 23 adsl You may use below command for this: #echo 23 adsl >> /etc/iproute2/rt_tables Then we will specify which source ip address will be use this table: #ip rule add from 10.0.0.5/24 table adsl (all lan IPs will use this table) Lets specify this adsl table's default gateway to RouterB #ip route add default via 1.1.1.3 dev eth0 table adsl We have to add following rule in order to give access from 10.0.0.x to the dmz #ip route add 192.168.0.0/24 dev eth2 table adsl To activate changes type following #ip route flush cache After reboot things we made will not be remain. We have to add all the commands to rc.local file to make changes permenant after reboot. ip rule add from 10.0.0.0/24 table adsl ip route add default via 1.1.1.3 dev eth0 table adsl ip route add 192.168.0.0/24 dev eth2 table adsl ip route flush cache |
| |||
| Quote:
-Pierre |
![]() |
| Thread Tools | Search this Thread |
| Display Modes | |
| |