[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1, ver. 4.1 Spoofing
I do not think this has something to do with NAT Hide. I can not think of any reason why you should need to configure the 0.0.0.0 object in the Antispoofing configuration as a dependency for NAT. The only reason I would think you needed something like this is if you use forwarding of Bootp through your Firewall (please correct me if I'm wrong). When the 0.0.0.0 (Workstation)object is used in the Antispoofing rules Firewall-1 treats this as NO Address. If you use Firewall-1 as a DHCP-Realay Agent (or even worse as a DHCP/Bootp-Server) I think you will have to create this object, since the clients has no address when the send the DHCP-request. It seems like you are using a Network Object in your configuration. I'm not sure, but would think that Firewall-1 treats this object the same way as the workstation in this specific scenario. What this configurartion does (if I'm not mistaking anything) is simply to allow IP packets with No source address through the Antispoofing settings. It still would be inspected in the rulebase and would need an accept there as well. For Dhcp you would need to accept these protocols through to your DHCP-Server: bootps 67/udp dhcps #Bootstrap Protocol Server bootpc 68/udp dhcpc #Bootstrap Protocol Client Hope this clarifies a little. Just come to think of something; it might be that Firewall-1 treats the Netwrok Object Specified 0.0.0.0/0.0.0.0 as any. That would be easy to find out, but I do not have any Firewall's besides me at the moment to test this. But since you have choosen Specific on this Interface this means that if the Interface=Internet Firewall-1 treats this object as any. If the Interface=Internal Firewall-1 treats this object as No Address. That theory only works if your Firewall is connected to the Internet and the Internet communication is working :-) Normally on a Firewall connected to the Internet you would specify all inteerfaces with specific addresses and one with others or others + (meaning all other than the addresses specified on the other interfaces:) On an internal Firewall you might want to specify all of the Interfaces (depending on your setup). The 0.0.0.0 object in the NAT Hide rules means that the Firewall use it's own address (the address on the Interface which the packets are leaving) when it translates communication through the Firewall. /erik > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Monday, March 05, 2001 3:56 PM > To: [email protected] > Subject: [FW1] FW-1, ver. 4.1 Spoofing > > > > Hello, > > On my FW, on the FW object itself, under Interfaces, one of > the net. cards, > Interface Properties, security - the Antispoofing is set to SPECIFIC. > Under this a group object is specified. One of the elements > in this group > defines net-adresses 0.0.0.0 > I do understand that it has something to do with NAT hide, > but can anyone > explain what this actually is doing? > > > Regards > Jan Ottemo > IT-Department > Odfjell ASA > > Telephone: +47 55274582 > Mobile : +47 91786986 > mailto:[email protected] > > > > > ********************************************************************** > This e-mail message has been scanned for viruses > and it has been found clean. > ********************************************************************** > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|