Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] anti spoof rules

To: [email protected]
Subject: Re: [FW-1] anti spoof rules
From: "Reed Mohn, Anders" <[email protected]>
Date: Tue, 13 Nov 2001 12:03:23 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> -----Original Message-----
> From: Noor Azman Wahid [mailto:[email protected]]
> Sent: 13. november 2001 00:49

> I am a newbie pls help me to create an anti-spoof rule.
> Any help are welcomed.


Hmm.. well, normally I'd just say:  Check the archives,
since this has been answered many times.

However, both archives I knew about seem to be gone....
Anyone know if there are any archives left out there?
Can't find an archive at neither Securityfocus nor Securepoint.

Anyway, anti-spoofing:

FW-1 will create anti-spoofing rules for you, based on the
settings you specify in the properties for each interface on
the FW-object.


The basic rules are:

1)
Set every internal, or DMZ, interface to:  "This Net"
This means that any address that belongs to the same
subnet as the interface IP, is regarded as
a. a valid source address for packets coming from that network.
b. an invalid source address for packets coming from other networks
c. a valid destination address for packets coming from other networks

(actually, I'm not sure about c. Did I just make that up? pls. correct me
if my assumption is wrong.)

2)
Set the external interface to: "Others"

This means that the firewall will accept incoming packets FROM, and outgoing
packets TO, any address that wasn't specified in the anti-spoofing settings
on any other interface.


The next step is to add support for NAT.
For NAT to work, you must also include the the valid addresses
on each internal interface. Create a group containing all the addresses you
want to allow on the interface. This group must contain the interface's own
network,
plus any valid NAT-addresses for the interface.

The settings this time will be:

External IF:  Others
Internal IF:  Specific (specify the group you created)


That's as far as I remember, anyway ... see chapter 4 in SECADMIN.PDF,
the section about "valid addresses".

Cheers,
Anders :)

>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: [FW-1] VPN with DES AND 3DES
Next by Date: Re: [FW-1]
Previous by thread: [FW-1] anti spoof rules
Next by thread: [FW-1] Blocking Mailing-List
Index(es):
- Date
- Thread