ChecopointのVPN-1のport address translationで一部情報が見えてしまう問題があるそうです。
Port 18264/tcp on the Checkpoint Firewall is typically configured in such a manner that it is mapped by the port address translation (PAT), with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitize the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:Checkpoint VPN-1 PAT Information Disclosure
The response was elicited by sending a packet (from 184.108.40.206) to port 18264/tcp on the Firewall's interface. The TTL was set low, so the Firewall could not forward it on.
14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 220.127.116.11 > 18.104.22.168: ICMP time exceeded in-transit, length 48
IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 22.214.171.124.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512
The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall's interface.