NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Anti-Spoofing



Anders 's response should have clarify most if not all of your question.
Just to add that, while you don't need add hide NAT address on the Others+
's group, you do need that for static NAT.  Just a reminder.

At 10:52 AM 10/17/01 +0200, you wrote:
>> -----Original Message-----
>> From: Bourque Daniel [mailto:[email protected]]
>> Sent: 17. oktober 2001 02:58
>> To: [email protected]
>> Subject: [FW-1] Anti-Spoofing
>
>[..]
>
>> Should the anti-spoofing be of type Others+ AntispoofA-ie2
>> meaning anything
>> but this network AND some specific addresses like the hide NAT address
>> included in the antispoof-ie2 group?
>
>No.  Just use "Others".
>First of all, "Others" doesn't mean "anything but this net", it means
>anything
>that's not defined on other interfaces.
>
>Second, from what I understand, if you're hide-NATing the
>internal network, you don't need to add the address to any anti-spoofing
>group.
>
>According to CP,
>address translation takes place as follows:
>(taken from the manual, SECADMIN.PDF)
>
>* for a packet going from the client to the server,
>just before the packet leaves the interface closest to the server.
>* for a packet going from the server to the client,
>just after the packet enters the interface closest to the server.
>
>
>The question the anti-spoofing mechanism asks is:
>"is this a valid source address for a packet coming in on this interface?"
>
>(with "coming in" meaning "coming from the connected network", not from
>other interfaces)
>
>Thus, for the hide-nat, since the source address is not translated
>until just before the packet leaves the FW's external if, anti-spoofing
>is not affected.
>
>
>> What happen if a spoof packet with a source address of
>> 10.10.10.1 show up on
>> the ie2 interface?  Since this address is not directly
>> connected to the ie0
>> interface, does FW1 know that it shoud drop it as a spoof packet?
>
>If 10.10.10.1 is listed as a valid source address for any other
>interface, then ie2 will see it as a spoofed packet,
>if you set ie2 to "Others".
>
>
>Cheers,
>Anders :)
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.