Re: [FW-1] Source IP change after creating uri

[Joe Bloggs <mr_joe_bloggs@FW1-NOSPAMHOTMAIL.COM>]

No that's fine, I'm accepting the uri, however I have Snort running and it
used to pick up the source ip, now it's picks up the fw's ip. Apparently NG
does not do this according to phoneboy.


> From: "Chontzopoulos, Dimitris" <dimitris.chontzopoulos@MEGATRUST.GR>
> Reply-To: Mailing list for discussion of Firewall-1
> <FW-1-MAILINGLIST@beethoven.us.checkpoint.com>
> To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> Subject: Re: [FW-1] Source IP change after creating uri
> Date: Thu, 14 Mar 2002 16:11:53 +0200
>
> If you create a URI resource droping traffic to your WEB Servers in the DMZ
> you will actually see the real IP address of the attacker and not the IP
> Address of the Firewall. When you create URI of this type the traffic is
> not
> sent at the WEB Server, it is rejected at the Interface of the FW
> responsible for dropping the rule. So... If you create a URI for blocking
> CodeRed traffic, Nimda etc you should set it at DROP. This actually means
> that the FW will take the packet, process it and then it will REJECT it.
> Only if you create a rule ACCEPTING traffic you will see the IP Address of
> the FW interface and not the IP Address of the Remote whatever. As far as i
> know (i may be wrong though), if accepting with a URI resource you can do
> nothing about your problem and that is because the FW operates in a "Proxy"
> mode (without caching that is...). e.g. Accepting...
>
> 1. Client requests www.somewhere.com
> 2. FW takes packet
> 3. FW initiates connection to www.somewhere.com
> 4. FW gets connected with www.somewhere.com
> 5. FW sends responses to secured client (not secure client)
> 6. Client sees the content of www.somewhere.com
>
> Excuse my tone, i do not want to be offensive, i just don't know another
> way
> to say these things.
> Cheers.
>
> PS. I am not a guru. If someone else knows the correct answer (in case my
> answer is wrong), then please show us the way.
>
>
> -----Original Message-----
> From: Joe Bloggs [mailto:mr_joe_bloggs@HOTMAIL.COM]
> Sent: Thursday, March 14, 2002 2:39 PM
> To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> Subject: [FW-1] Source IP change after creating uri
>
>
> I'm using FW 4.1 SP5, anyone any idea how to get the FW to broadcast the
> actual source IP instead of it's int IP after applying a URI resource to a
> rule ? ie would be nice to know what host was attacking your dmz with a
> codered worm etc...
>
> Thanks in advance...
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to LISTSERV@lists.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================