[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] anti-spoofing clarification
:: Thanks for the input so far. I probably should have specified a bit more :: clearly that there are networks other than my own who need access to the DNS :: server, so I do not think I can use THIS NET for the DMZ interface... unless :: I am still not understanding this correctly.. The anti-spoofing rules, if setup the way I outlined, shouldn't prevent legit users from using the services on any of those networks. That's what the rulebase is for. Anti-spoofing/valid addresses merely dictate what IP's are valid for packets that are trying to traverse that interface. For example, Internet | | | Int#1 FW-1 Int#2----- DMZ (1.2.3.0/24) | | | Int#3 Intranet (10.0.0.0/8) In this setup, installing anti-spoofing rules as I mentioned in my earlier message would prevent any packets in the 10.0.0.0/8 address space from originating anywhere except off of #3 interface. So, if someone from the Internet was trying to perform a spoofing attack on your webserver, for example, claiming to come from 10.2.3.44/32, your FW would reject them because 10/8 addresses are only valid when coming from Int#3. Is this a bit more clear? Cheers - Erick ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|