[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
From: "Greg Winkler" <[email protected]> Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net > We use a 10.x.x.x network internally per RFC 1918. Up until today I've > used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to > all of my internal hosts. God I can't imagine what your arp table might look like! :) > Ideally I would have an object that included all of my > 10.x.x.x networks EXCEPT for 10.250.1.x. Why not just create 2 objects: ClassA = 10.0.0.0/8, ClassC = 10.250.1.0/24. FW1 doesn't care. When you write your policy, make sure all the rules for ClassC are on top of the rules for ClassA. The sieve effect will deal with your ClassC first, anything else is implicitly !ClassC, ergo your ClassA rule gets it next. At the end of your ClassC rule bloc explitcitly drop stuff for your ClassC, so your ClassA rules don't "accidently" get packets that didn't match your ClassC rules. For routing, the same principle applies, more specific to less specific. Just make sure you have routes defined for 10.0.0.0/8 (general) as well as 10.250.10.0/24 (specific). Why is this hard? Am I missing something really obvious? CT ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|