[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] spoofing
In the anti-spoofing settings, you specify, for each FW-interface which addresses are allowed as sources and destinations on that specific interface. For instance, it would not be correct for a packet to have a source address from the 192.168.2.0 network if it comes from your internal network. Likewise, packets shouldn't enter your internal network from the outside, with source addresses from your internal network. So, putting together the anti-spoofing we get: 1. Using just the network addresses for each network (no NAT) DMZ: "This Net" Internal: "This Net" External: "Others" 2. Adding NAT, you must also allow the NAT addresses Create a group for each (non-external) interface, containing the valid addresses. Then use "Specific" to specify this group in the anti-spoofing settings. The groups must contain: DMZ: DMZ-network + public/NAT-addresses for the web and DNS servers. Internal: Internal network + public/NAT-addresses for the web-server. External: No group needed, still set to "Others". Cheers, Anders :) -----Original Message----- From: Don Leeper [mailto:[email protected]] Sent: 25. juli 2001 19:59 To: '[email protected]' Subject: [FW1] spoofing I was wondering if someone could give me your input on anti-spoofing. I have 3 interfaces on my FW: DMZ 192.168.2.1 External 63.64.1.1 Internal 192.168.1.1 I have a DNS server and web server sitting on the DMZ. Which needs to be open to the public. I have my email server and one web server on the Internal. They need to be accessible to the public as well. All addresses that are for the public are nated. Could someone tell me how you would set up the anti-spoofing on the FW that won't affect my setup but protect me? I noticed in my logs that someone was trying to get in using private addresses. Thanks for your help in advance. (I did look it up but I think its better to hear how others do it!) Kind of confusing.... Donnie Leeper ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|