> Joseba,
> 
> Your email is a bit confusing.
> I don't understand is the last sentence is a question or just a statement.
> 
> Anyways, on our Checkpoint server we created a Firewall object
> (workstation 
> object)of the firewall itself. (For editing rules that want or try to
> connect directly 
> to the firewall). 
> 
> In the properties of that object you have an entry INTERFACES. here you
> can
> specify the interfaces for external and internal use. In the properties of
> the
> INTERNAL interface you
> 
> In the properties of that entry you have a SECURITY option.
> Here you can specify what valid addresses it accepts on his internal
> interface.
> 
> Now you build a Network Objects in which you specify your internet
> addresses.
> By creating a Group Object you can add all the internal addresses (Network
> Objects) 
> to that group.
> 
> In the SECURITY property you can specify a special Object you created on
> your
> Checkpoint server. If you enter the Group Object you just created here
> then only
> the internal addresses can spoof the internal interface of your firewall.
> But your firewall
> wouldn't do anything about it (like routing it).
> 
> If you have done this the firewall will interpretate (probably wrote that
> wrong) it that
> the networks that are internally can't access the firewall externally. So
> it will drop 
> any packet with an internal address which it recieves from the external
> interface.
> 
> Hopefully you got the picture a bit
> 
> Greets
> 
> /B
> 
> -----Original Message-----
> From: Joseba Otero [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 7 november 2000 23:56
> To:   [EMAIL PROTECTED]
> Subject:      Spoofing
> 
> I have four interfaces in my Checkpoint, two for internet and the other
> two
> for intranet.
> INTERNET:*.*.*.*
> INTRANET:10.*.*.*
> I need only that the firewall drops any intranet source packets (10.*.*.*)
> in the internet interfaces.
> Also, I can't do this with simple rule because the rule applies in all the
> interfaces.
> When I configure the spoofing in the interface property I can select the
> networks that I accept, but I want to put the networks that I deny.
> 
> There is another way to do this (deny packets with source IP 10.*.*.* in
> the
> Internet interfaces)
> 
> Thanks
> joseba
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to