Hi,
quick question...
When setting up virtual IPs on interfaces on your firewall, ie:
hme0 172.16.2.1/24 <- link to internet
hme1 10.0.1.1/24 <- link to internal net
hme1:1 10.0.2.1/24 <- link to internal net
hme2 10.1.1.1/24 <- link to other internal net
hme2:1 10.1.2.1/24 <- link to other internal net
(before you say I could use a different mask on hme1 and hme2, the IPs have
obviously been changed...)
in the firewall object's interface definition, should hme1:1 and hme2:1 be
defined as well as hme0,hme1,hme2.
The reason I am asking is that there is normally a stealth rule near the top
of the rule base something like:
src dest service action
any firewall any drop
to protect the firewall. If the virtual interfaces are not defined in the
firewall object then the virtual interfaces are still 'visible' to the
subnets. Ie: consider:
rule# src dest service action
1 --misc rules above--
2 trustedhosts firewall ssh allow
3 any firewall any drop
4 internalnet any ssh allow
5 --misc rules here--
6 any any any drop
If the virtual interfaces are NOT defined in the firewall object, then
internal hosts will be able to connect to the virtual interfaces of the
firewall which rule 3 is meant to protect against.
so in essence, should virtual interfaces (eg: hme1:1, hme1:2 etc) be defined
in the firewall object's interfaces tab?
any comments?
------------------------------------------------------------
Internet communications are not secure and therefore Oyster Partners Ltd
does not accept legal responsibility for the contents of this message. Any
views or opinions presented are solely those of the author and do not
necessarily represent those of Oyster Partners Ltd.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
