Okay, TheBishop comes good at last...
Here's the description of packet flow through the inspection engine as taken from the Firewall-1 training course:
1) Packet comes in
2) Address spoofed? If yes, discard
3) Apply any NAT transformation
4) IP options flags set? If yes, discard
5) Does packet match first rule?
- if yes, do what rule says then move on to consider next packet
- if no, move on to next rule
6) If no more rules left, discard the packet
a) Although NAT generally occurs at step 3) as shown, you can configure it to happen last of all, after the packet has been processed through the rules. If you do that, it will have to pass through the rules again to see if they allow the new packet to be output. Most people don't set it up this way as it's confusing and harder to work with
b) Note that there are user defined rules and implicit or hidden rules created by the firewall. It is the entire rulebase, which includes both, that is checked from absolute top to absolute bottom
c) Order of rules in the rulebase makes all the difference
d) The firewall can discard (silently drop) or reject (send back an icmp rejection)
e) There is an implied (can't see it anywhere but it exists) 'drop all' "rule" at the end of the rulebase. But most people create their own explicit "real" rule for this because you can't log from the implied rule
Hope that helps!
CheckPoint packet flow
13 years 8 months ago #8503
the explantion in the Check Point book is not totally correct or at least a very simplistic explanation. I've work years with the product and made some slides myself.
I've you get used with the "fw monitor" command you can easily understand how everyting works. you can dump the output of fw monitor in to a file with -o switch. THen you can read it with ethereal or fwethereal (somewhere on the public accessible Check Point website)....
xxradar, thanks for making those files available, there is some meaty info in there which I will have a chew on. The info I posted is straight out of the book that you get when you go on the Checkpoint Firewall Admin-1 course. Always goes to show there is more to every subject than the bits they tell you about...