Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts

To: [email protected]
Subject: Re: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts
From: "Reed Mohn, Anders" <[email protected]>
Date: Wed, 28 Nov 2001 13:27:19 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> -----Original Message-----
> From: Steve Loughran [mailto:[email protected]]
> Sent: 28. november 2001 12:58
> To: [email protected]
> Subject: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts
>
>
> Hi all
>

> now, from what I can see, for the ARP'd/NAT'd DMZ hosts I
> have to change the
> external interface anti-spoof setup to be:
>
>     External - Others + <a group with the ARP'd/NAT'd addresses>


No, you include the NAT-addresses in the DMZ anti spoofing settings.

As I understood it from a previous discussion on the list, NAT is the
last thing that happens before the packet is releast on to the DMZ
network.
Thus, the NAT-address must be valid for that interface to pass the
spoofing check.

Cheers,
Anders :)

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Follow-Ups:
- Re: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts
  - From: Steve Loughran <[email protected]>

Prev by Date: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts
Next by Date: [FW-1] FW: [FW-1] SecureClient and NAT at Client end
Previous by thread: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts
Next by thread: Re: [FW-1] Anti-Spoofing and ARP'd/NAT'd hosts
Index(es):
- Date
- Thread