[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Strange Anti-Spoofing problem on NT
Hi Ralf: You should define the antispoofing as follows: On the external interface set "Others" as Valid Addresses. On the internal interface (10.40.0.0) you should create a group containing this net and a workstation object with the public IP address you use to your web browser (lets say 204.32.38.103) and set Specific with this group in Valid Addresses. (Remember the NAT should be Static) It should work fine this way, I tested it many times. Let me know if you could make it work "Ralf Guenthner" <[email protected]> Enviado por: Para: [email protected] <[email protected]> kpoint.com cc: Asunto: [FW1] Strange Anti-Spoofing problem on NT 11/10/2000 14:20 Hi list I have a strange problem on an NT4-system, running FW 4.1 without patches: The machine has 2 interfaces, one going to the Internet, the other going to -uh- I guess you could call it a pseudo-DMZ (p-DMZ), because this site only has 2 interfaces, so there's no real internal net...anyway it uses a private address space (10.40.0.0). A webserver was placed in the pseudo-DMZ and should be reachable from the Internet. I added the NAT-Rules accordingly and created the local.arp file, voila, it worked. But then I tried to set up Anti-Spoofing in the security tab of the firewall's interfaces: Valid addresses "Others" on the external IF, and "This net" on the p-DMZ interface. After that connections got dropped because of rule 0! The log shows that incoming requests are correctly translated to the webserver's private IP, but the p-DMZ interface doesn't like the source IP of the packet (or its destination??, there should be a way to tell this more clearly implemented in future versions of logviewer) and drops it. I created a group containing both the net on the Internet-side of the firewall and the net of the p-DMZ and added it to "Specific" in the security tab, but to no avail... Any ideas? Sorry for being so wordy, but this one really has me puzzled, since I thought I had understood all about Anti-Spoofing... Cheers Ralf G. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|