what might be a better less cpu intensive process would be to create
static routes to the rfc1918(read it) network space with a next hop of
null0;
dont do this if you are running bgp or ospf.
piranha...
>From: mouss <[EMAIL PROTECTED]>
>To: "Joseba Otero" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>Subject: Re: Spoofing
>Date: Wed, 08 Nov 2000 10:16:35 +0100
>
>note that it is god practice to deny incoming packets with private class
>addresses:
> 10.0.0.0/8
> 172.16.0.0/12
> 192.168.0.0/16
> 127.0.0.0/8
>and it is also a good idea not to send packets destined to these networks
>to
>the internet. so deny outgoing packets that have these destinations.
>
>
>cheers,
>mouss
>
>At 23:56 07/11/00 +0100, Joseba Otero wrote:
>>I have four interfaces in my Checkpoint, two for internet and the other
>>two
>>for intranet.
>>INTERNET:*.*.*.*
>>INTRANET:10.*.*.*
>>I need only that the firewall drops any intranet source packets (10.*.*.*)
>>in the internet interfaces.
>>Also, I can't do this with simple rule because the rule applies in all the
>>interfaces.
>>When I configure the spoofing in the interface property I can select the
>>networks that I accept, but I want to put the networks that I deny.
>>
>>There is another way to do this (deny packets with source IP 10.*.*.* in
>>the
>>Internet interfaces)
>>
>>Thanks
>>joseba
>>
>>-
>>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>>"unsubscribe firewalls" in the body of the message.]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
