Private Public DNS question
Jared Johnson
jared.johnson at tecstar.com
Thu Mar 23 01:19:54 UTC 2000
> I think the customer contacted Checkpoint and found a way to disable this
> feature. I don't know the specifics, because once we determined that it
> was a problem with the firewall and not our Internet connection, we were
> out of the loop.
Checkpoint has this listed under version 3 currently is why we running 4
can't find it. They said they will update there support doc to fix this.
You do need a support ID to see the actual doc, but heres the rundown.
http://www.checkpoint.com/support/technical/faq/firewall-1/networkconf/lowpo
rthide.htm
Normally, FireWall-1 NAT HIDE mechanism translates low source ports
(sport<1024) to low (unused) ports, and high source ports (sport>=1024) to
high (unused) ports, as stated in the user's guide. However, in certain
configurations there is a need to translate a low source port to a high
port - the services that frequently brings about this need is domain-udp,
whose source port is 53.
FireWall-1 does not support Static Address Translation for source ports, but
in this case a the following work-around may be used on UNIX machines:
1. Stop the FireWall (fwstop).
2. For Solaris, add the following line to /etc/system
set fwfwx_udp_hide_high = 0x35
and then reboot the machine.
3. For SunOS, type: echo "fwx_udp_hide_high ?W35" | adb -w
$FWDIR/modules/fwmod.4.1.x.o
For HP-UX, type: echo "fwx_udp_hide_high ?W35" | adb -w /hp-ux
4. Restart the FireWall.
THANKS ALL for your help.
More information about the bind-users
mailing list