> Joseba,
>
> Your email is a bit confusing.
> I don't understand is the last sentence is a question or just a statement.
>
> Anyways, on our Checkpoint server we created a Firewall object
> (workstation
> object)of the firewall itself. (For editing rules that want or try to
> connect directly
> to the firewall).
>
> In the properties of that object you have an entry INTERFACES. here you
> can
> specify the interfaces for external and internal use. In the properties of
> the
> INTERNAL interface you
>
> In the properties of that entry you have a SECURITY option.
> Here you can specify what valid addresses it accepts on his internal
> interface.
>
> Now you build a Network Objects in which you specify your internet
> addresses.
> By creating a Group Object you can add all the internal addresses (Network
> Objects)
> to that group.
>
> In the SECURITY property you can specify a special Object you created on
> your
> Checkpoint server. If you enter the Group Object you just created here
> then only
> the internal addresses can spoof the internal interface of your firewall.
> But your firewall
> wouldn't do anything about it (like routing it).
>
> If you have done this the firewall will interpretate (probably wrote that
> wrong) it that
> the networks that are internally can't access the firewall externally. So
> it will drop
> any packet with an internal address which it recieves from the external
> interface.
>
> Hopefully you got the picture a bit
>
> Greets
>
> /B
>
> -----Original Message-----
> From: Joseba Otero [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 7 november 2000 23:56
> To: [EMAIL PROTECTED]
> Subject: Spoofing
>
> I have four interfaces in my Checkpoint, two for internet and the other
> two
> for intranet.
> INTERNET:*.*.*.*
> INTRANET:10.*.*.*
> I need only that the firewall drops any intranet source packets (10.*.*.*)
> in the internet interfaces.
> Also, I can't do this with simple rule because the rule applies in all the
> interfaces.
> When I configure the spoofing in the interface property I can select the
> networks that I accept, but I want to put the networks that I deny.
>
> There is another way to do this (deny packets with source IP 10.*.*.* in
> the
> Internet interfaces)
>
> Thanks
> joseba
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
