Yep.. I made an allowance group for eth2.. but didn't add the 172.x in the eth2 as I was under the perception that the spoofing will be checked only at the first interface the packet crosses..
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chris McGill Sent: Tuesday, April 05, 2005 9:09 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] spoofing question I know you have not defined eth2 as external, you have it defined as internal as that is the only way you can make exceptions. What I a saying is in eth2 do you have the group object that includes the 172 range that hangs off eth1? Christopher McGill CCSA, CCNA, MCP ________________________________ From: Mailing list for discussion of Firewall-1 on behalf of Ramdas, Venkata (GE Healthcare, non-ge) Sent: Tue 05/04/2005 11:32 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] spoofing question I haven't defined the eth2 as external.i made an allowance group for eth2. So does it mean that, except for the external interface, all other connections are being checked at all other interfaces and for external interface, the connection is only checked for once even it crosses multiple interfaces? v.r -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chris McGill Sent: Tuesday, April 05, 2005 3:31 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] spoofing question Do you need to make an spoofing allowance on eth2 for 172.24.200.0, as I assume you have not got it defined as an external interface, and therefore, the filtering applies to anything that passes through the interface? I could be wrong. Christopher McGill CCSA, CCNA, MCP ________________________________ From: Mailing list for discussion of Firewall-1 on behalf of Ramdas, Venkata (GE Healthcare, non-ge) Sent: Tue 05/04/2005 09:41 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] spoofing question Hello, Does the spoofing performed for a same source and destination if it crosses multiple interfaces? For example, I have eth1& eth 2 with addressing 192.168.1.1/24 and 192.168.2.1/24 as interfaces and 172.24.200.0, 10.10.10.0/24 as connecting networks 172.24.200.0/24 --- ------- 192.168.2.0 |--------eth1 ------ eth2-------| 192.168.1.0 ------- -------- 10.10.10.0/24 if I need to allow 172.24.200.x to access 10.10.10.0/24 I allowed 172.24.200.x in eth1 spoofing allowances and 10.10.10.0/24 in eth2 spoofing allowances.. and also configured access rules and routes too.. Now when somebody is trying from 172.24.200.x to 10.10.10.0/24 , the packet is getting accepted at eth1.. but getting dropped at eth2.. could anybody throw some light on this? Iam using Checkpoint NG AI on IPSO 3.7 build 35.. Thanks, vr ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
