Private Public DNS question

Jared Johnson jared.johnson at
Thu Mar 23 01:19:54 UTC 2000

> I think the customer contacted Checkpoint and found a way to disable this
> feature.  I don't know the specifics, because once we determined that it
> was a problem with the firewall and not our Internet connection, we were
> out of the loop.

Checkpoint has this listed under version 3 currently is why we running 4
can't find it.  They said they will update there support doc to fix this.
You do need a support ID to see the actual doc, but heres the rundown.

Normally, FireWall-1 NAT HIDE mechanism translates low source ports
(sport<1024) to low (unused) ports, and high source ports (sport>=1024) to
high (unused) ports, as stated in the user's guide. However, in certain
configurations there is a need to translate a low source port to a high
port - the services that frequently brings about this need is domain-udp,
whose source port is 53.

FireWall-1 does not support Static Address Translation for source ports, but
in this case a the following work-around may be used on UNIX machines:

1. Stop the FireWall (fwstop).

2. For Solaris, add the following line to /etc/system
   set fwfwx_udp_hide_high = 0x35
   and then reboot the machine.

3. For SunOS, type: echo "fwx_udp_hide_high ?W35" | adb -w
   For HP-UX, type: echo "fwx_udp_hide_high ?W35" | adb -w /hp-ux

4. Restart the FireWall.

THANKS ALL for your help.

More information about the bind-users mailing list