Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Anti-Spoofing

To: [email protected]
Subject: Re: [FW-1] Anti-Spoofing
From: "Reed Mohn, Anders" <[email protected]>
Date: Wed, 17 Oct 2001 10:52:40 +0200
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> -----Original Message-----
> From: Bourque Daniel [mailto:[email protected]]
> Sent: 17. oktober 2001 02:58
> To: [email protected]
> Subject: [FW-1] Anti-Spoofing

[..]

> Should the anti-spoofing be of type Others+ AntispoofA-ie2
> meaning anything
> but this network AND some specific addresses like the hide NAT address
> included in the antispoof-ie2 group?

No.  Just use "Others".
First of all, "Others" doesn't mean "anything but this net", it means
anything
that's not defined on other interfaces.

Second, from what I understand, if you're hide-NATing the
internal network, you don't need to add the address to any anti-spoofing
group.

According to CP,
address translation takes place as follows:
(taken from the manual, SECADMIN.PDF)

* for a packet going from the client to the server,
just before the packet leaves the interface closest to the server.
* for a packet going from the server to the client,
just after the packet enters the interface closest to the server.


The question the anti-spoofing mechanism asks is:
"is this a valid source address for a packet coming in on this interface?"

(with "coming in" meaning "coming from the connected network", not from
other interfaces)

Thus, for the hide-nat, since the source address is not translated
until just before the packet leaves the FW's external if, anti-spoofing
is not affected.


> What happen if a spoof packet with a source address of
> 10.10.10.1 show up on
> the ie2 interface?  Since this address is not directly
> connected to the ie0
> interface, does FW1 know that it shoud drop it as a spoof packet?

If 10.10.10.1 is listed as a valid source address for any other
interface, then ie2 will see it as a spoofed packet,
if you set ie2 to "Others".


Cheers,
Anders :)

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] service pack question
Next by Date: Re: [FW-1] Can't Logon CP FW1 on Solaris x86
Previous by thread: [FW-1] Anti-Spoofing
Next by thread: Re: [FW-1] Anti-Spoofing
Index(es):
- Date
- Thread