[FW-1] Question about Spoofing and too many internal hosts

Dpto. de Internet- Jose J. Pedrajas Mon, 02 Feb 2004 11:20:25 -0800

Hi,

I have a Sun machine with FW-1 and 3 interfaces which are configured as
follows :


    qe0: inet xxx.xxx.xxx.2  netmask fffffff0 broadcast xxx.xxx.xxx.15
    qe1: inet xxx.xxx.xxx.17 netmask fffffff0 broadcast xxx.xxx.xxx.31
    qe2: inet xxx.xxx.xxx.33 netmask fffffff0 broadcast xxx.xxx.xxx.47


I have configured an object for the above machine at FW-1 as follows :

* General tab :
    IP :   xxx.xxx.xxx.2
    Location :  internal
    Type :  gateway
    Firewall-1 installed option :  check

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net


The problem is that when I try to do a "ping" (or a dns query) from the ip
yyy.yyy.yyy.yyy to the ip xxx.xxx.xxx.16 (broadcast), I can see at the log
viewer the following line :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    0 / -> qe2 / yyy.yyy.yyy.yyy /   /  xxx.xxx.xxx.16 /   / icmp / drop
    0 / -> qe2 / yyy.yyy.yyy.yyy / zzzz  /  xxx.xxx.xxx.16 / domain / udp /
drop

The IP xxx.xxx.xxx.16 belongs to qe1 and not to qe2, I don�t know why this
packet is redirected to the qe2 interface and not to the qe1. I think that,
in any case, the line should be the following :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    0 / -> qe1 / yyy.yyy.yyy.yyy /   /  xxx.xxx.xxx.16 /   / icmp / drop
    0 / -> qe1 / yyy.yyy.yyy.yyy / zzzz  /  xxx.xxx.xxx.16 / domain / udp /
drop


In the other hand if I try to do a "telnet xxx.xxx.xxx.16 bbbb", I see the
following line at log viewer :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    aa / -> qe0 / yyy.yyy.yyy.yyy /  zzzz /  xxx.xxx.xxx.16 /  bbbb / tcp /
drop

that is, the line in the log is correct.

Beside, I get the typical message of "too many internal hosts detected" as a
consequence of the problem mentioned.

Please, someone could help me?

Thanks and best regards,

Jose

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

[FW-1] Question about Spoofing and too many internal hosts

Reply via email to