Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Anti Spoofing Question

To: [email protected]
Subject: [FW-1] Anti Spoofing Question
From: [email protected]
Date: Fri, 19 Apr 2002 14:44:52 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi folks;

I have a question on Anti Spoofing rules, here's the scoop:

Phone Boy states that you should use "Others +" as follows:
Others +
This allows you to specify IP addresses that appear on both your internal and external interfaces. This is usually needed when you are doing NAT in certain situations, running OSPF on both the internal and external interfaces, or running VRRP.
reference: http://www.phoneboy.com/faq/0061.html

I'm confused by why this might be required for VRRP.  My understanding of Anti Spoofing is that it is based on "Source" not "Destination" ip addresses.  I've asked locally if this reference might have to do with the VRRP Multicast address 224.0.0.18 to which they replied yes but without further explanation.  When I view the logs I see traffic from the firewall interface addresses going to 224.0.0.18 but do not see any traffic that originates from that address.  I did a simple fail over test and things seemed to work OK.  I have not done extensive testing to see if some sessions are dropped when they shouldn't be or other strange things are happening as it's difficult to do in a production environment. I'd hate to include the 224.0.0.18 address on any interface if it's not needed.

Any ideas, comments or suggestions would be appreciated.

Thanks in advance,

Ken


__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] Did NAT handling change by version/service pack? - Revised
Next by Date: Re: [FW-1] "auth" service in log viewer
Previous by thread: [FW-1] Did NAT handling change by version/service pack? - Revised
Next by thread: [FW-1] How to do a port mapping?
Index(es):
- Date
- Thread