Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] NAT and anti-spoofing

To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] NAT and anti-spoofing
From: Xena Warrior <[email protected]>
Date: Mon, 25 Feb 2002 02:28:43 -0800
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

In CP2000, the anti-spoofing check is performed on the
Source IP of packet inbound to the firewall and on the
Destionation IP of packet outbound from the firewall.

My understanding is that NG has changed this to
checking only Source IP's for spoofing.


--- [email protected] wrote:
> How can this be? Spoofing is about the source
> address, not the destination
> address. I think it would be helpful to see Your
> spoofing settings for all
> interfaces.
>
>                 -&
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Xena Warrior
> [mailto:[email protected]]
> > Gesendet am: Samstag, 23. Februar 2002 12:52
> > An: [email protected]
> > Betreff: Re: [FW-1] NAT and anti-spoofing
> >
> > I believe the problem with the first NAT rule is
> that
> > the anti-spoofing check on the interior Interface
> of
> > FW on NET A is seeing the Destination Address of
> > 192.168.3.1  which has not been identified as a
> Valid
> > Address.  ( The Destination Address Translation to
> > Alice's IP is the LAST thing done before sending
> to
> > Alice).  Build a Workstation object for Ed
> > (192.168.3.1) then change the Valid Addresses on
> NET
> > A's interface to be SPECIFIC > Build a group
> object
> > that consists of NET A and the new ED workstation
> > object.
> >
> > Hope this helps
> >
> >
> > --- Nico De Ranter <[email protected]> wrote:
> > > Howdy,
> > >
> > > ok, this is a tricky one :-)
> > > I have a configuration which -sort of- looks
> like
> > > this:
> > >
> > >             net A - 10.0.0.0
> > >                     |
> > >                     |
> > >                 ----------
> > >                 |firewall| ..... 'virtual' net D
> > > 10.1.1.0
> > >                 |        |
> > >                 |        |--- net E 192.168.3.0
> > >                 ----------
> > >                     |
> > >                     |
> > >            net B - 192.168.1.0
> > >                     |
> > >                     |
> > >                 ----------
> > >                 | router |
> > >                 ----------
> > >                     |
> > >                     |
> > >            net C - 192.168.2.0
> > >
> > >
> > > - net A is a world-wide WAN which does not know
> > > about net B
> > > or net C.  However we have a subnet D of net A
> which
> > > we use
> > > for NAT everything that needs access to net A.
> > > - net C does not know about net A (router is not
> > > under our control).
> > >   net C does know the way to net E
> > > - The anti-spoofing settings say that valid
> > > addresses for net A interface
> > > are 10.x.x.x
> > >
> > > a machine on net C (say: Charlie, 192.168.2.1)
> needs
> > > to contact a
> > > server on net A (say: Alice, 10.2.2.2). Since
> net C
> > > does not know about
> > > net A, I took an address on net E (say: Ed,
> > > 192.168.3.1) and one
> > > on net D known by net A (say; Dany, 10.1.1.1)
> and
> > > created
> > > a NAT rule which says:
> > >
> > > src: Charlie, dst: Ed,    prot: any
> > >         --- translate to -->
> > > src: Dany (hide), dst: Alice (static), prot:
> > > original
> > >
> > > Anybody still following? :-)
> > >
> > > Now if I make a connection from Charlie to Ed
> > > (hoping to end
> > > op on Alice), the connection is rejected on the
> > > outgoing net A
> > > interface based on rule 0, meaning anti-spoofing
> > > rules.
> > >
> > >
> > > I have another rule saying
> > >
> > > src: net B, dst: net A, prot: any
> > >        --- translate to -->
> > > src: 10.1.1.2 (hide), dst: orig, prot: original
> > >
> > > that one works without problems.
> > >
> > > Any idea how I can fix the problem (except for
> > > turning of anti-spoofing
> > > rules which is not an option)
> > >
> > > thanks in advance,
> > >
> > > Nico
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
---------------------------------------------------------
> > >  "It has been said that there are only two
> > > businesses that
> > >   refer to customers as users: illegal drug
> trade
> > > and
> > >                the computer industry."
> > >
> >
>
---------------------------------------------------------
> > > Nico De Ranter
> > > Sony Service Center (SDCE/VPE-B)
> > > Sint Stevens Woluwestraat 55 (Rue de
> > > Woluwe-Saint-Etienne)
> > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26
> 86
> > > e-mail: [email protected]
> > >
> > >
> =================================================
> > > To set vacation, Out Of Office, or away
> messages,
> > > send an email to
> [email protected]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > >
> =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [email protected]
> > >
> =================================================
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Sports - Coverage of the 2002 Olympic Games
> > http://sports.yahoo.com
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] AW: [FW-1] NAT and anti-spoofing
  - From: [email protected]

Prev by Date: [FW-1] AW: [FW-1] NAT and anti-spoofing
Next by Date: [FW-1] MAD configuration
Previous by thread: [FW-1] AW: [FW-1] NAT and anti-spoofing
Next by thread: Re: [FW-1] AW: [FW-1] NAT and anti-spoofing
Index(es):
- Date
- Thread