[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Anti-Spoofing
> -----Original Message----- > From: Bourque Daniel [mailto:[email protected]] > Sent: 17. oktober 2001 02:58 > To: [email protected] > Subject: [FW-1] Anti-Spoofing [..] > Should the anti-spoofing be of type Others+ AntispoofA-ie2 > meaning anything > but this network AND some specific addresses like the hide NAT address > included in the antispoof-ie2 group? No. Just use "Others". First of all, "Others" doesn't mean "anything but this net", it means anything that's not defined on other interfaces. Second, from what I understand, if you're hide-NATing the internal network, you don't need to add the address to any anti-spoofing group. According to CP, address translation takes place as follows: (taken from the manual, SECADMIN.PDF) * for a packet going from the client to the server, just before the packet leaves the interface closest to the server. * for a packet going from the server to the client, just after the packet enters the interface closest to the server. The question the anti-spoofing mechanism asks is: "is this a valid source address for a packet coming in on this interface?" (with "coming in" meaning "coming from the connected network", not from other interfaces) Thus, for the hide-nat, since the source address is not translated until just before the packet leaves the FW's external if, anti-spoofing is not affected. > What happen if a spoof packet with a source address of > 10.10.10.1 show up on > the ie2 interface? Since this address is not directly > connected to the ie0 > interface, does FW1 know that it shoud drop it as a spoof packet? If 10.10.10.1 is listed as a valid source address for any other interface, then ie2 will see it as a spoofed packet, if you set ie2 to "Others". Cheers, Anders :) =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|