[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] anti spoof rules
> -----Original Message----- > From: Noor Azman Wahid [mailto:[email protected]] > Sent: 13. november 2001 00:49 > I am a newbie pls help me to create an anti-spoof rule. > Any help are welcomed. Hmm.. well, normally I'd just say: Check the archives, since this has been answered many times. However, both archives I knew about seem to be gone.... Anyone know if there are any archives left out there? Can't find an archive at neither Securityfocus nor Securepoint. Anyway, anti-spoofing: FW-1 will create anti-spoofing rules for you, based on the settings you specify in the properties for each interface on the FW-object. The basic rules are: 1) Set every internal, or DMZ, interface to: "This Net" This means that any address that belongs to the same subnet as the interface IP, is regarded as a. a valid source address for packets coming from that network. b. an invalid source address for packets coming from other networks c. a valid destination address for packets coming from other networks (actually, I'm not sure about c. Did I just make that up? pls. correct me if my assumption is wrong.) 2) Set the external interface to: "Others" This means that the firewall will accept incoming packets FROM, and outgoing packets TO, any address that wasn't specified in the anti-spoofing settings on any other interface. The next step is to add support for NAT. For NAT to work, you must also include the the valid addresses on each internal interface. Create a group containing all the addresses you want to allow on the interface. This group must contain the interface's own network, plus any valid NAT-addresses for the interface. The settings this time will be: External IF: Others Internal IF: Specific (specify the group you created) That's as far as I remember, anyway ... see chapter 4 in SECADMIN.PDF, the section about "valid addresses". Cheers, Anders :) > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|