Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

To: "'[email protected]'" <[email protected]>, [email protected]
Subject: RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
From: "Reed Mohn, Anders" <[email protected]>
Date: Fri, 1 Dec 2000 00:31:03 +0100
Sender: [email protected]


Uhhm..  I might be off-track here,
but what happens to a client in
the 10.0.0.0/8 network who wants to
talk to someone in 10.250.1.0/24?

Since any 10.0.0.0 address is assumed to
be local, no packet ever makes it to the
FW/router/gateway.

Or..?

Anders :)



-----Original Message-----
From: Christine Tran [mailto:[email protected]]
Sent: 30. november 2000 23:06
To: [email protected]
Subject: Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918
net



From: "Greg Winkler" <[email protected]>
Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

> We use a 10.x.x.x network internally per RFC 1918. Up until today I've
> used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to
> all of my internal hosts. 

God I can't imagine what your arp table might look like! :)

> Ideally I would have an object that included all of my
> 10.x.x.x networks EXCEPT for 10.250.1.x. 

Why not just create 2 objects:  ClassA = 10.0.0.0/8,  ClassC =
10.250.1.0/24.
FW1 doesn't care.  When you write your policy, make sure all the rules 
for ClassC are on top of the rules for ClassA.  The sieve effect will deal
with your ClassC first, anything else is implicitly !ClassC, ergo your
ClassA rule gets it next.  At the end of your ClassC rule bloc explitcitly
drop stuff for your ClassC, so your ClassA rules don't "accidently" get
packets 
that didn't match your ClassC rules.

For routing, the same principle applies, more specific to less specific.
Just make sure you have routes defined for 10.0.0.0/8 (general) as well as
10.250.10.0/24 (specific).

Why is this hard?  Am I missing something really obvious?

CT



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
Next by Date: [FW1] Date: Thu, 30 Nov 2000 18:22:29 -0500
Previous by thread: [FW1] Suspicious entry in FW log
Next by thread: [FW1] [FW-1] Restart logging to log server
Index(es):
- Date
- Thread