NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Source IP change after creating uri



Title: RE: [FW-1] Source IP change after creating uri

If you create a URI resource droping traffic to your WEB Servers in the DMZ you will actually see the real IP address of the attacker and not the IP Address of the Firewall. When you create URI of this type the traffic is not sent at the WEB Server, it is rejected at the Interface of the FW responsible for dropping the rule. So... If you create a URI for blocking CodeRed traffic, Nimda etc you should set it at DROP. This actually means that the FW will take the packet, process it and then it will REJECT it. Only if you create a rule ACCEPTING traffic you will see the IP Address of the FW interface and not the IP Address of the Remote whatever. As far as i know (i may be wrong though), if accepting with a URI resource you can do nothing about your problem and that is because the FW operates in a "Proxy" mode (without caching that is...). e.g. Accepting...

1. Client requests www.somewhere.com
2. FW takes packet
3. FW initiates connection to www.somewhere.com
4. FW gets connected with www.somewhere.com
5. FW sends responses to secured client (not secure client)
6. Client sees the content of www.somewhere.com

Excuse my tone, i do not want to be offensive, i just don't know another way to say these things.
Cheers.

PS. I am not a guru. If someone else knows the correct answer (in case my answer is wrong), then please show us the way.


-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Thursday, March 14, 2002 2:39 PM
To: [email protected]
Subject: [FW-1] Source IP change after creating uri


I'm using FW 4.1 SP5, anyone any idea how to get the FW to broadcast the
actual source IP instead of it's int IP after applying a URI resource to a
rule ? ie would be nice to know what host was attacking your dmz with a
codered worm etc...

Thanks in advance...

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.