[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
Uhhm.. I might be off-track here, but what happens to a client in the 10.0.0.0/8 network who wants to talk to someone in 10.250.1.0/24? Since any 10.0.0.0 address is assumed to be local, no packet ever makes it to the FW/router/gateway. Or..? Anders :) -----Original Message----- From: Christine Tran [mailto:[email protected]] Sent: 30. november 2000 23:06 To: [email protected] Subject: Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net From: "Greg Winkler" <[email protected]> Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net > We use a 10.x.x.x network internally per RFC 1918. Up until today I've > used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to > all of my internal hosts. God I can't imagine what your arp table might look like! :) > Ideally I would have an object that included all of my > 10.x.x.x networks EXCEPT for 10.250.1.x. Why not just create 2 objects: ClassA = 10.0.0.0/8, ClassC = 10.250.1.0/24. FW1 doesn't care. When you write your policy, make sure all the rules for ClassC are on top of the rules for ClassA. The sieve effect will deal with your ClassC first, anything else is implicitly !ClassC, ergo your ClassA rule gets it next. At the end of your ClassC rule bloc explitcitly drop stuff for your ClassC, so your ClassA rules don't "accidently" get packets that didn't match your ClassC rules. For routing, the same principle applies, more specific to less specific. Just make sure you have routes defined for 10.0.0.0/8 (general) as well as 10.250.10.0/24 (specific). Why is this hard? Am I missing something really obvious? CT ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|