Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Virtual IPs on interfaces

To: "'[email protected]'" <[email protected]>
Subject: [FW1] Virtual IPs on interfaces
From: Michael Miller <[email protected]>
Date: Tue, 31 Oct 2000 11:50:18 -0000
Sender: [email protected]

Hi,

quick question... 

When setting up virtual IPs on interfaces on your firewall, ie:

hme0    172.16.2.1/24          <- link to internet
hme1    10.0.1.1/24            <- link to internal net
hme1:1  10.0.2.1/24            <- link to internal net
hme2    10.1.1.1/24            <- link to other internal net
hme2:1  10.1.2.1/24            <- link to other internal net

(before you say I could use a different mask on hme1 and hme2, the IPs have
obviously been changed...)

in the firewall object's interface definition, should hme1:1 and hme2:1 be
defined as well as hme0,hme1,hme2.

The reason I am asking is that there is normally a stealth rule near the top
of the rule base something like:

src   dest       service   action
any   firewall   any       drop

to protect the firewall. If the virtual interfaces are not defined in the
firewall object then the virtual interfaces are still 'visible' to the
subnets. Ie: consider:

rule#   src            dest       service   action
1       --misc rules above--
2       trustedhosts   firewall   ssh       allow
3       any            firewall   any       drop
4       internalnet    any        ssh       allow
5       --misc rules here--
6       any            any        any       drop

If the virtual interfaces are NOT defined in the firewall object, then
internal hosts will be able to connect to the virtual interfaces of the
firewall which rule 3 is meant to protect against.

so in essence, should virtual interfaces (eg: hme1:1, hme1:2 etc) be defined
in the firewall object's interfaces tab?

any comments?




------------------------------------------------------------
Internet communications are not secure and therefore Oyster Partners Ltd
does not accept legal responsibility for the contents of this message. Any
views or opinions presented are solely those of the author and do not
necessarily represent those of Oyster Partners Ltd.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Mail Attachments dropped by firewall
Next by Date: RE: [FW1] Question
Previous by thread: Re: [FW1] NAT and interfaces
Next by thread: [no subject]
Index(es):
- Date
- Thread