From: "Greg Winkler" <[EMAIL PROTECTED]>
Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
> We use a 10.x.x.x network internally per RFC 1918. Up until today I've
> used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to
> all of my internal hosts.
God I can't imagine what your arp table might look like! :)
> Ideally I would have an object that included all of my
> 10.x.x.x networks EXCEPT for 10.250.1.x.
Why not just create 2 objects: ClassA = 10.0.0.0/8, ClassC = 10.250.1.0/24.
FW1 doesn't care. When you write your policy, make sure all the rules
for ClassC are on top of the rules for ClassA. The sieve effect will deal
with your ClassC first, anything else is implicitly !ClassC, ergo your
ClassA rule gets it next. At the end of your ClassC rule bloc explitcitly
drop stuff for your ClassC, so your ClassA rules don't "accidently" get packets
that didn't match your ClassC rules.
For routing, the same principle applies, more specific to less specific.
Just make sure you have routes defined for 10.0.0.0/8 (general) as well as
10.250.10.0/24 (specific).
Why is this hard? Am I missing something really obvious?
CT
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
