[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Virtual IPs on interfaces
Hi, quick question... When setting up virtual IPs on interfaces on your firewall, ie: hme0 172.16.2.1/24 <- link to internet hme1 10.0.1.1/24 <- link to internal net hme1:1 10.0.2.1/24 <- link to internal net hme2 10.1.1.1/24 <- link to other internal net hme2:1 10.1.2.1/24 <- link to other internal net (before you say I could use a different mask on hme1 and hme2, the IPs have obviously been changed...) in the firewall object's interface definition, should hme1:1 and hme2:1 be defined as well as hme0,hme1,hme2. The reason I am asking is that there is normally a stealth rule near the top of the rule base something like: src dest service action any firewall any drop to protect the firewall. If the virtual interfaces are not defined in the firewall object then the virtual interfaces are still 'visible' to the subnets. Ie: consider: rule# src dest service action 1 --misc rules above-- 2 trustedhosts firewall ssh allow 3 any firewall any drop 4 internalnet any ssh allow 5 --misc rules here-- 6 any any any drop If the virtual interfaces are NOT defined in the firewall object, then internal hosts will be able to connect to the virtual interfaces of the firewall which rule 3 is meant to protect against. so in essence, should virtual interfaces (eg: hme1:1, hme1:2 etc) be defined in the firewall object's interfaces tab? any comments? ------------------------------------------------------------ Internet communications are not secure and therefore Oyster Partners Ltd does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Oyster Partners Ltd. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|