Hi Ralf:
You should define the antispoofing as follows:
On the external interface set "Others" as Valid Addresses.
On the internal interface (10.40.0.0) you should create a group containing
this net and a workstation object with the public IP address you use to
your web browser (lets say 204.32.38.103) and set Specific with this group
in Valid Addresses. (Remember the NAT should be Static)
It should work fine this way, I tested it many times.
Let me know if you could make it work
"Ralf Guenthner" <[EMAIL PROTECTED]>
Enviado por: Para:
[EMAIL PROTECTED]
<[EMAIL PROTECTED]>
kpoint.com cc:
Asunto: [FW1]
Strange Anti-Spoofing problem
on NT
11/10/2000 14:20
Hi list
I have a strange problem on an NT4-system, running FW 4.1 without patches:
The machine has 2 interfaces, one going to the Internet, the other going
to -uh- I guess you could call it a pseudo-DMZ (p-DMZ), because this site
only
has 2 interfaces, so there's no real internal net...anyway it uses a
private
address space (10.40.0.0).
A webserver was placed in the pseudo-DMZ and should be reachable from the
Internet. I added the NAT-Rules accordingly and created the local.arp file,
voila, it worked. But then I tried to set up Anti-Spoofing in the security
tab of the firewall's interfaces: Valid addresses "Others" on the external
IF, and "This net" on the p-DMZ interface. After that connections got
dropped because of rule 0!
The log shows that incoming requests are correctly translated to the
webserver's private IP, but the p-DMZ interface doesn't like the source IP
of the packet (or its destination??, there should be a way to tell this
more
clearly implemented in future versions of logviewer) and drops it. I
created
a group
containing both the net on the Internet-side of the firewall and the net of
the
p-DMZ and added it to "Specific" in the security tab, but to no avail...
Any ideas? Sorry for being so wordy, but this one really has me puzzled,
since I thought I had understood all about Anti-Spoofing...
Cheers
Ralf G.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
