Re: [FW-1] Question about Spoofing and too many internal hosts

[kwelsh]

Jose,

You mention that in the interface tab of the gateway object the IP
Addresses for the interfaces are as follows:

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net


Based upon your netmasking, the displayed addresses are network addresses
not host addresses.  I think that they should be:

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.17 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.33 / 255.255.255.240 / This net

Did you do a get "Interfaces with Topology" under the Topology tab of the
gateway object?

Regards,

Ken...





             "Dpto. de
             Internet- Jose J.
             Pedrajas"                                                  To
             <[EMAIL PROTECTED]         [EMAIL PROTECTED]
             P.ES>                     INT.COM
             Sent by: Mailing                                           cc
             list for
             discussion of                                         Subject
             Firewall-1                [FW-1] Question about Spoofing and
             <FW-1-MAILINGLIST         too many internal hosts
             @AMADEUS.US.CHECK
             POINT.COM>


             03/02/2004 04:57


             Please respond to
             Mailing list for
               discussion of
                Firewall-1
             <FW-1-MAILINGLIST
             @AMADEUS.US.CHECK
                POINT.COM>






Hi,

I have a Sun machine with FW-1 and 3 interfaces which are configured as
follows :

    qe0: inet xxx.xxx.xxx.2  netmask fffffff0 broadcast xxx.xxx.xxx.15
    qe1: inet xxx.xxx.xxx.17 netmask fffffff0 broadcast xxx.xxx.xxx.31
    qe2: inet xxx.xxx.xxx.33 netmask fffffff0 broadcast xxx.xxx.xxx.47


I have configured an object for the above machine at FW-1 as follows :

* General tab :
    IP :   xxx.xxx.xxx.2
    Location :  internal
    Type :  gateway
    Firewall-1 installed option :  check

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net


The problem is that when I try to do a "ping" (or a dns query) from the ip
yyy.yyy.yyy.yyy to the ip xxx.xxx.xxx.16 (broadcast), I can see at the log
viewer the following line :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    0 / -> qe2 / yyy.yyy.yyy.yyy /   /  xxx.xxx.xxx.16 /   / icmp / drop
    0 / -> qe2 / yyy.yyy.yyy.yyy / zzzz  /  xxx.xxx.xxx.16 / domain / udp /
drop

The IP xxx.xxx.xxx.16 belongs to qe1 and not to qe2, I don�t know why this
packet is redirected to the qe2 interface and not to the qe1. I think that,
in any case, the line should be the following :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    0 / -> qe1 / yyy.yyy.yyy.yyy /   /  xxx.xxx.xxx.16 /   / icmp / drop
    0 / -> qe1 / yyy.yyy.yyy.yyy / zzzz  /  xxx.xxx.xxx.16 / domain / udp /
drop


In the other hand if I try to do a "telnet xxx.xxx.xxx.16 bbbb", I see the
following line at log viewer :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    aa / -> qe0 / yyy.yyy.yyy.yyy /  zzzz /  xxx.xxx.xxx.16 /  bbbb / tcp /
drop

that is, the line in the log is correct.

Beside, I get the typical message of "too many internal hosts detected" as
a
consequence of the problem mentioned.

Please, someone could help me?

Thanks and best regards,

Jose

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================



WARNING - This email and any attachments may be confidential. If received in error, 
please delete and inform us by return email.

Because emails and attachments may be interfered with, may contain computer viruses or 
other defects and may not be successfully replicated on other systems,
you must be cautious. Westpac cannot guarantee that what you receive is what we sent. 
If you have any doubts about the authenticity of an email by Westpac,
please contact us immediately.

It is also important to check for viruses and defects before opening or using 
attachments. Westpac's liability is limited to resupplying any affected attachments.

Westpac Banking Corporation ABN is 33 007 457 141.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================