On Tue, Jun 22, 2010 at 10:23 AM, Fred Damstra <[email protected]>wrote:
> As I understand it, antispoofing is enforced on the external interface > by disallowing any of the IP addresses that are assigned to the > topology for internal interfaces. Is this accurate? > > What happens if you have multiple firewalls (or multiple clusters of > firewalls) that are not connected via VPN. Can IP's that are internal > to one of the firewalls show up on the external interface of a > different firewall? > > Something would be wrong if it did, how would your firewall route it? There should be some kind of NAT prior to this as external is considered the internet. If you firewall's 'external' interface is not the internet, then perhaps you should be clearly defining what exists on that interface. Typically, you have internal addresses as per RFC 1918 that are not routed to you via the external interface. And if public addresses are routed to you, it's usually warranted because you have them on a DMZ or proxy ARP for them. I can't see a scenario such as that you mention above without there being some bad network design. -- ciao JT Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
