Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] anti spoof rules

To: [email protected]
Subject: [FW-1] AW: [FW-1] anti spoof rules
From: "Süß, Michael" <[email protected]>
Date: Tue, 13 Nov 2001 16:00:52 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

you can find the archivs at:

http://msgs.securepoint.com/cgi-bin/get/fw1-current.html
http://www.shmoo.com/mail/fw1/

Mit freundlichen Grüssen / Kind regards


Michael Süß
Security Admin

STEAG  AG
mailto:[email protected]



> ----------
> Von:  Reed Mohn, Anders[SMTP:[email protected]]
> Antwort an:   Mailing list for discussion of Firewall-1
> Gesendet:     Tuesday, November 13, 2001 12:03 PM
> An:   [email protected]
> Betreff:      Re: [FW-1] anti spoof rules
>
> > -----Original Message-----
> > From: Noor Azman Wahid [mailto:[email protected]]
> > Sent: 13. november 2001 00:49
>
> > I am a newbie pls help me to create an anti-spoof rule.
> > Any help are welcomed.
>
>
> Hmm.. well, normally I'd just say:  Check the archives,
> since this has been answered many times.
>
> However, both archives I knew about seem to be gone....
> Anyone know if there are any archives left out there?
> Can't find an archive at neither Securityfocus nor Securepoint.
>
> Anyway, anti-spoofing:
>
> FW-1 will create anti-spoofing rules for you, based on the
> settings you specify in the properties for each interface on
> the FW-object.
>
>
> The basic rules are:
>
> 1)
> Set every internal, or DMZ, interface to:  "This Net"
> This means that any address that belongs to the same
> subnet as the interface IP, is regarded as
> a. a valid source address for packets coming from that network.
> b. an invalid source address for packets coming from other networks
> c. a valid destination address for packets coming from other networks
>
> (actually, I'm not sure about c. Did I just make that up? pls. correct me
> if my assumption is wrong.)
>
> 2)
> Set the external interface to: "Others"
>
> This means that the firewall will accept incoming packets FROM, and
> outgoing
> packets TO, any address that wasn't specified in the anti-spoofing
> settings
> on any other interface.
>
>
> The next step is to add support for NAT.
> For NAT to work, you must also include the the valid addresses
> on each internal interface. Create a group containing all the addresses
> you
> want to allow on the interface. This group must contain the interface's
> own
> network,
> plus any valid NAT-addresses for the interface.
>
> The settings this time will be:
>
> External IF:  Others
> Internal IF:  Specific (specify the group you created)
>
>
> That's as far as I remember, anyway ... see chapter 4 in SECADMIN.PDF,
> the section about "valid addresses".
>
> Cheers,
> Anders :)
>
> >
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] WINS Resolution
Next by Date: [FW-1] Problem setting up securemote connection to FW-1 SP3 (encrypt ion failure: No peer gateway found for the destination scheme:
Previous by thread: Re: [FW-1] No upgrades to NG until Jan 02!?
Next by thread: [FW-1] Problem setting up securemote connection to FW-1 SP3 (encrypt ion failure: No peer gateway found for the destination scheme:
Index(es):
- Date
- Thread