[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Anti-Spoofing
After reading about anti-spoofing setup on the firewall objet, I still have questions for setup with multiple networks on the inside interface. Let say that the inside interface ie0 (192.168.1.0/24) can also reach multiples interconnected private networks (192.168.2.0/24, 10.10.10.0/24 and 172.168.2.0/24). The anti-Spoofing on this interface should be of type Specific with a group (Antispoof-ie0) of all 4 networks segments. The anti-Spoofing on the ie1 (DMZ) interface 207.236.100.0/24 would be of type ThisNet. What should be the anti-spoofing rule on the ie2 interface, the one on the internet side? Should the anti-spoofing be of type Others+ AntispoofA-ie2 meaning anything but this network AND some specific addresses like the hide NAT address included in the antispoof-ie2 group? What happen if a spoof packet with a source address of 10.10.10.1 show up on the ie2 interface? Since this address is not directly connected to the ie0 interface, does FW1 know that it shoud drop it as a spoof packet? Daniel Bourque =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|