[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] AW: [FW-1] anti spoof rules
you can find the archivs at: http://msgs.securepoint.com/cgi-bin/get/fw1-current.html http://www.shmoo.com/mail/fw1/ Mit freundlichen Grüssen / Kind regards Michael Süß Security Admin STEAG AG mailto:[email protected] > ---------- > Von: Reed Mohn, Anders[SMTP:[email protected]] > Antwort an: Mailing list for discussion of Firewall-1 > Gesendet: Tuesday, November 13, 2001 12:03 PM > An: [email protected] > Betreff: Re: [FW-1] anti spoof rules > > > -----Original Message----- > > From: Noor Azman Wahid [mailto:[email protected]] > > Sent: 13. november 2001 00:49 > > > I am a newbie pls help me to create an anti-spoof rule. > > Any help are welcomed. > > > Hmm.. well, normally I'd just say: Check the archives, > since this has been answered many times. > > However, both archives I knew about seem to be gone.... > Anyone know if there are any archives left out there? > Can't find an archive at neither Securityfocus nor Securepoint. > > Anyway, anti-spoofing: > > FW-1 will create anti-spoofing rules for you, based on the > settings you specify in the properties for each interface on > the FW-object. > > > The basic rules are: > > 1) > Set every internal, or DMZ, interface to: "This Net" > This means that any address that belongs to the same > subnet as the interface IP, is regarded as > a. a valid source address for packets coming from that network. > b. an invalid source address for packets coming from other networks > c. a valid destination address for packets coming from other networks > > (actually, I'm not sure about c. Did I just make that up? pls. correct me > if my assumption is wrong.) > > 2) > Set the external interface to: "Others" > > This means that the firewall will accept incoming packets FROM, and > outgoing > packets TO, any address that wasn't specified in the anti-spoofing > settings > on any other interface. > > > The next step is to add support for NAT. > For NAT to work, you must also include the the valid addresses > on each internal interface. Create a group containing all the addresses > you > want to allow on the interface. This group must contain the interface's > own > network, > plus any valid NAT-addresses for the interface. > > The settings this time will be: > > External IF: Others > Internal IF: Specific (specify the group you created) > > > That's as far as I remember, anyway ... see chapter 4 in SECADMIN.PDF, > the section about "valid addresses". > > Cheers, > Anders :) > > > > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|