RE: Firewall-1 antispoofing feature

Tue, 03 Jul 2001 00:57:43 -0700 

Juan,

I think you are taking it the wrong way in setting up your anti-spoofing
rules in
Checkpoint. 

Let's say your firewall has 3 nics connected to different networks.

qfe1 = internal network         (ip range 192.168.x.x /24)
qfe2 = DMZ network      (ip range 216.221.x.x /28)
qfe3 = Internet         (the rest)

If the interface is internal (qfe1) and it's a whole subnet then you can
just use
"this net" or you can make a "network object" in your objects and set this
network as "specific [network object]" on your internal interface.

The DMZ interface (qfe2) you can set that one to "this net" or again make a
"network object" and set that one as "specific [network object" in your qfe2
interface security properties. 

The last interface (qfe3) is connected to the internet. This interface you
can 
configure as "others" because every IP address from the internet is OK
except
your internal and DMZ IP ranges. (you can block also a lot of "wrong" IP
ranges
that can come from the internet but I am not going to start on that subject)

If you specify an antispoof rule in your Checkpoint configuration you can't
have
one interface set to "others" and an other interface on "any"...   You must
set those
settings appropriate.

Well   I hope I maked it a bit clear for you otherwise maybe phoneboy.com
has
some information on this subject (I definately know there is).

Good luck !

Regards,

Brenno

> -----Original Message-----
> From: Juan L. Zamora [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 3 juli 2001 1:49
> To:   [EMAIL PROTECTED]
> Subject:      Firewall-1 antispoofing feature
> 
> Hi,
>       Firewall-1 shows an error when setting in the "Valid Addresses"
> area [Others +] [xxx.xxx.xxx.xxx] (xxx.xxx.... is an IP address which I
> want to accept packets from and it's an internal address.)
> 
> The error says:
> {....
> The Antispoofing Protection defined for iface1 specifies "Others +"
> on one
> interface, and "Any" on another interface.
> This is prohibited.
> ...}
> 
> Just to be sure.
> 
> Should I set the antispoofing protection on the other two interfaces as
> 'This Net'?
> 
> Thanks
> 
> 
> 
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to