[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Anti-Spoofing
Anders 's response should have clarify most if not all of your question. Just to add that, while you don't need add hide NAT address on the Others+ 's group, you do need that for static NAT. Just a reminder. At 10:52 AM 10/17/01 +0200, you wrote: >> -----Original Message----- >> From: Bourque Daniel [mailto:[email protected]] >> Sent: 17. oktober 2001 02:58 >> To: [email protected] >> Subject: [FW-1] Anti-Spoofing > >[..] > >> Should the anti-spoofing be of type Others+ AntispoofA-ie2 >> meaning anything >> but this network AND some specific addresses like the hide NAT address >> included in the antispoof-ie2 group? > >No. Just use "Others". >First of all, "Others" doesn't mean "anything but this net", it means >anything >that's not defined on other interfaces. > >Second, from what I understand, if you're hide-NATing the >internal network, you don't need to add the address to any anti-spoofing >group. > >According to CP, >address translation takes place as follows: >(taken from the manual, SECADMIN.PDF) > >* for a packet going from the client to the server, >just before the packet leaves the interface closest to the server. >* for a packet going from the server to the client, >just after the packet enters the interface closest to the server. > > >The question the anti-spoofing mechanism asks is: >"is this a valid source address for a packet coming in on this interface?" > >(with "coming in" meaning "coming from the connected network", not from >other interfaces) > >Thus, for the hide-nat, since the source address is not translated >until just before the packet leaves the FW's external if, anti-spoofing >is not affected. > > >> What happen if a spoof packet with a source address of >> 10.10.10.1 show up on >> the ie2 interface? Since this address is not directly >> connected to the ie0 >> interface, does FW1 know that it shoud drop it as a spoof packet? > >If 10.10.10.1 is listed as a valid source address for any other >interface, then ie2 will see it as a spoofed packet, >if you set ie2 to "Others". > > >Cheers, >Anders :) > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== > > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|