[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Stopping a Spoof Alert

To: "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: [FW1] Stopping a Spoof Alert
From: Ray Lodato <RLodato@nefn.com>
Date: Thu, 1 Apr 1999 16:43:06 -0500


Hi all,

We just installed FW-1 4.0 SP2 on a test machine, and we ran into an
interesting situation.

The firewall object has anti-spoofing defined on its interfaces.  The
external interface has "Others", and the internal interface has "Specific -
LocalSpoof".  LocalSpoof is a group with 3 objects:  AllZeros (defined as
0.0.0.0), Broadcast (defined as 255.255.255.255), and localnet (defined as
our entire internal network).  We've asked it to log any internal spoofing.

We are getting quite a number of log entries for bootp packets.  The source
field is blank, and the destination field is 255.255.255.255.  We have a
rule in the rule based to drop these packets without logging, but the log
entries show them as being rejected by rule 0 (the anti-spoofing rule).

We had this exact same configuration running (correctly) under 3.0b patch
3045.  I thought that by including the AllZeros entry in LocalSpoof, and
putting that on the internal interface, that it wouldn't consider a bootp
packet a spoof attempt.  That way, we could handle it via the rulebase.

Has anyone else had this problem?  If so, how do you fix it?  Thanks in
advance.

Ray



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Renewed -> NULL "Mail From:<>"
Next by Date: [FW1] [fw1] Backup strategy for Firewall servers
Prev by thread: [FW1] Renewed -> NULL "Mail From:<>"
Next by thread: Re: [FW1] Stopping a Spoof Alert
Index(es):
- Date
- Thread