From: "Chontzopoulos, Dimitris" <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Source IP change after creating uri
Date: Thu, 14 Mar 2002 16:11:53 +0200
If you create a URI resource droping traffic to your WEB Servers in the DMZ
you will actually see the real IP address of the attacker and not the IP
Address of the Firewall. When you create URI of this type the traffic is
not
sent at the WEB Server, it is rejected at the Interface of the FW
responsible for dropping the rule. So... If you create a URI for blocking
CodeRed traffic, Nimda etc you should set it at DROP. This actually means
that the FW will take the packet, process it and then it will REJECT it.
Only if you create a rule ACCEPTING traffic you will see the IP Address of
the FW interface and not the IP Address of the Remote whatever. As far as i
know (i may be wrong though), if accepting with a URI resource you can do
nothing about your problem and that is because the FW operates in a "Proxy"
mode (without caching that is...). e.g. Accepting...
1. Client requests www.somewhere.com
2. FW takes packet
3. FW initiates connection to www.somewhere.com
4. FW gets connected with www.somewhere.com
5. FW sends responses to secured client (not secure client)
6. Client sees the content of www.somewhere.com
Excuse my tone, i do not want to be offensive, i just don't know another
way
to say these things.
Cheers.
PS. I am not a guru. If someone else knows the correct answer (in case my
answer is wrong), then please show us the way.
-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Thursday, March 14, 2002 2:39 PM
To: [email protected]
Subject: [FW-1] Source IP change after creating uri
I'm using FW 4.1 SP5, anyone any idea how to get the FW to broadcast the
actual source IP instead of it's int IP after applying a URI resource to a
rule ? ie would be nice to know what host was attacking your dmz with a
codered worm etc...
Thanks in advance...
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================