| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] anti-spoofing clarification
:: Thanks for the input so far. I probably should have specified a bit more
:: clearly that there are networks other than my own who need access to the DNS
:: server, so I do not think I can use THIS NET for the DMZ interface... unless
:: I am still not understanding this correctly..
The anti-spoofing rules, if setup the way I outlined, shouldn't prevent
legit users from using the services on any of those networks. That's what
the rulebase is for. Anti-spoofing/valid addresses merely dictate what
IP's are valid for packets that are trying to traverse that interface.
For example,
Internet
|
|
|
Int#1
FW-1 Int#2----- DMZ (1.2.3.0/24)
|
|
|
Int#3
Intranet
(10.0.0.0/8)
In this setup, installing anti-spoofing rules as I mentioned in my earlier
message would prevent any packets in the 10.0.0.0/8 address space from
originating anywhere except off of #3 interface. So, if someone from the
Internet was trying to perform a spoofing attack on your webserver, for
example, claiming to come from 10.2.3.44/32, your FW would reject them
because 10/8 addresses are only valid when coming from Int#3.
Is this a bit more clear?
Cheers - Erick
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
