[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] anti-spoofing activity
hi, there need some help. can anyone tell me about unreasonale activity of the anti-spoofing configuration of FW-1 v.4.1 SP5 i have developed the firewall environment with StoneBeat FullCluster v.2.0 on sparc solaris 7, and the environment is briefly descibed below ____Test Machine A | --------------------------------------------------- | | <if#1>|______ external _____|<if#2> |FW-1/SBFC_1|-----------|FW-1/SBFC_2| <if#3>| internal |<if#4> | | --------------------------------------------------- # if=interface the problem is anti-spoofing rule (rule 0) drops ping from test machine A to "FW-1/SBFC_1" 's internal network interface. ping to both interface of "FW-1/SBFC_2" is no problem, they have same policy, though. FW-1 mgmt module is on "FW-1/SBFC_1" for use of both FW-1 as the same rule base. i made sure the rule base syncronization of both FW [Policy Tab] the policy is exactly correct "accept echo-request" from machine A to both interfaces of the two FWs, and "accept echo-reply" from both interfaces of the two FWs to Test Machine A [NAT] no NAT rule is used. [Property] # access list tab "icmp accepted" # implied rule tab "accept icmp" check box is denied.(unchecked) [anti spoofing] anti-spoofing policy of both "if#3" and "if#4" was "this net". Here is the issue about ping result from machine A --ping to "if#3," which is another side of interface "machine FW-1/SBFC_1," was always failed. --ping to "if#4," which is another side of interface "machine FW-1/SBFC_2," was always succeeded. also, pings to the cluster IP address of both(front and back) side were always succeeded. in other words, ping to only "FW-1/SBFC_1"'s internal interface is always failed, same policy on both gateways, though. actually, a couple of servers are behind the FWs, and ping to them was all succeeded. Then, i took off the anti-spoofing rule back to "any" on the "FW-1/SBFC_1"'s internal interface, and the ping for it was succeeded. now, i have no idea about how to explain this problem for my client. does anyone tell me how come this error occurs, and some solutions for it, please ? Thanks in advance LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL Keigo Hanaoka <[email protected]> Infrastructure Development Group Network Solution Div./System Integration Dept LAC Co.,Ltd. <http://www.lac.co.jp> <http://www.lac.co.jp/security/english/index.html> Phone +81-3-5531-0394/Fax +81-3-5531-0395 LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|