[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Spoof Tracking on the firewall...
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
FW-1 processes packets in the following manner:
inbound interface:
-> Source addr. is checked by valid addr.
-> Match in the rule base (if inbound or eitherbound inspection)
OS:
-> Routes the packet
outbound interface:
-> Dest. addr. is checked by valid addr.
-> Match in the rule base (if outbound or eitherbound inspection)
-> NAT
Just in case you have not heard these definitions,
This net refers to the network behind the chosen
interface, and others means anything except what is
defined on the other interfaces of the fw.
The group that CP told you to create will be the new valid
address setting for the internal interface. The group
should include the network behind the internal interface as
well as any static nat'ed addresses. Changing this setting
is a direct result of the above line 'dest addr is checked...',
I know it seems somewhat silly, but CP is checking that
the destination address is part of the valid address settings
for the interface (hey, why not be thorough). If you set
your internal interface as 'specific' and choose the group
that you just created, everything should be ok.
As for it changing between version 3.0b and 4.0 (whether
specific to a platform or not), I do not _believe_ anything
has changed, but please let me know if you find that something
has.
Hope this helps!
-Dave T.
-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com
[mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of
Carlos Roque
Sent: Friday, March 26, 1999 5:00 PM
To: Jerald Josephs
Cc: Iwaszczuk, Jonathan; fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] Spoof Tracking on the firewall...
Importance: High
That seems to be a good option. I might try this in a future installation.
If you take a look at the user guide, the recommendation for internal if is
this net only if there is no other network behind it. On the other hand for
external if it says "use others".
I setup user authentication for the www server and had some problems
authenticating from outside (internet). The checkpoint support person told
me not to use a network group which includes both objects (internal with
static NAT and external with legal ip address of wwww server). The reason he
told me that user Auth might not work correctly with this settings. I
cahnged that to only include the internal www worksation object in the rule
base instead. After some testing and clearing the cache on both browsers (IE
5.0 and Netscape 4.5), everything worked well.
What I think is that my problem was related to browser cache instead of the
group object.
regards
Carlos Roque
> -----Original Message-----
> From: owner-fw-1-mailinglist@lists.us.checkpoint.com
> [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of
> Jerald Josephs
> Sent: Wednesday, March 24, 1999 11:47 PM
> To: Carlos Roque
> Cc: Iwaszczuk, Jonathan; fw-1-mailinglist@lists.us.checkpoint.com
> Subject: Re: [FW1] Spoof Tracking on the firewall...
>
>
>
> The proper settings of Valid Addresses are relevant to your
> particular network
> setup.
>
> If NAT is blocked as a result of setting Others to the external
> interface and
> This Net to the internal interface, then it is the
> FWXT_DST_STATIC connections,
> or those external connections hitting a Static NAT IP adddress
> and trying to get
> to your internal server.
>
> I always use Others on the external interface(s)
> I *NEVER* use This Net on the internal interface(s).
>
> I always create group objects that begin with "valid"
> For example, I have valid_iprg_addrs, valid_internal_addrs, and
> valid_pbi_addrs.
>
> In each group, I put the objects that represent my Valid Addresses for the
> interface. For example, my valid_internal_addrs contains a
> network object called
> "internal" and another called "www". "www" resolves to the
> valid, external IP
> address of my web server. Static NAT translates incoming HTTP
> connections for
> "www" to "www-internal".
>
> These group objects are used in the Specific field for Valid Addresses.
> The advantage of this method is that I may simply change the
> Valid Addresses for any
> interface (using a group) by modifying the contents of the group
> rather than
> the workstation object for my firewall. It is more flexible and
> easier to manage.
>
> HTH,
>
> --- Jerald Josephs
>
> Carlos Roque wrote:
>
> > Hello,
> >
> > Well for the external if I always use Others. Now for the
> internal if use
> > this net, specially if there is no other network behind it.
> >
> > Weeks ago I installed Version 4.0 on Solaris and found out that this
> > settings did not worked. After some testing the solution was to
> set Others +
> > on both sides and include each network number (External and
> internal nets).
> >
> > regards,
> >
> > Carlos Roque
> >
> > > -----Original Message-----
> > > From: owner-fw-1-mailinglist@lists.us.checkpoint.com
> > > [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of
> > > Iwaszczuk, Jonathan
> > > Sent: Tuesday, March 23, 1999 2:58 PM
> > > To: fw-1-mailinglist@lists.us.checkpoint.com
> > > Subject: [FW1] Spoof Tracking on the firewall...
> > >
> > >
> > >
> > > Hello,
> > >
> > > I have a question about the valid address under the firewalls
> interface
> > > properties... What are the proper settings? I have a bunch of options,
> > > such as valid, this net, others, others+, what has everyone else used
> > > here? I have a nat on one of my interfaces and I have found this stops
> > > working when I change the settings...
> > >
> > > NT3.0b SP8
> > >
> > > Thanks,
> > >
> > > Jonathan Iwaszczuk
> > >
> > >
> > >
> > >
> > > ==================================================================
> > > ==============
> > > To unsubscribe from this mailing list, please see the
> instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > ==================================================================
> > > ==============
> > >
> >
> >
> ==================================================================
> ==============
> > To unsubscribe from this mailing list, please see the
> instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==================================================================
> ==============
>
> --
> Jerald.Josephs@IPRG.Nokia.COM
> Customer Service Escalation Engineer (888)477-9824 or
> (408)990-2525
> Support Services
http://support.iprg.nokia.com
Nokia IP Routing http://www.iprg.nokia.com
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================