[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Add objects, SMTP Sec. Srvr, Anti Spoofing questions

To: CheckPoint_Mailing_List <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: [FW1] Add objects, SMTP Sec. Srvr, Anti Spoofing questions
From: "Vossen, John" <JVossen@alphanetcorp.com>
Date: Thu, 29 Apr 1999 01:53:50 -0400

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]



I have three questions for all you Firewall-1 experts...

I am trying to add about 30 service objects (MS Trojan ports to block/log)
to Firewall-1 v4.0 SP2 on NT.  I added a couple manually, then found those
in objects.c.  I created the new objects, then pasted them into objects.c
But when I look in services, only the two original objects are there.  What
am I missing?  Can this even be done?

I am also trying to set up the SMTP Security server for a site that has
three different mail servers, one for each of three different domains,
(three mx records with three different ISPs...)  All three mail servers are
on the 10.0.0.0 LAN and thus are NATed.  They can't (and don't want to) move
them to the DMZ as each server is at a different site.  Can I service all
three with a single SMTP Security server?  Should I?  If not, what's better.
If yes, which IP Address(s) do I enter in the server object, the real or the
NAT?  What is the best way to protect again unauthorized mail relaying.

Finally, I can't get anti-spoofing to work.  The server is currently being
NATed behind the Cisco 1600 router to the ISP.  Only the Firewall's internal
interface is connected to anything during this testing phase.  I have added
routes so that everything will work (I think).  At least, I can ping, surf
and tracert when anti-spoofing on the internal interface is set to "Any".
Anything other setting and it fails.  I tried to use a group of Internal-LAN
and Client-Moat (see below) to account for both LAN and NAT addresses (per
the PhoneBoy FAQ), but it still fails with a deny on rule 0.  Is the NAT on
the router screwing it up?  Is what is below more or less the correct
configuration once the server is put into "production"?

The server has 4 interfaces:
   Name          Address       Mask              Anti-Spoofing
   Internal      10.1.1.10     255.255.0.0       ???  [ Should be Moat & LAN
? ]
   External      207.245.x.x   255.255.255.248   Other
   DMZ1          192.168.5.1   255.255.255.0     This Net
   DMZ2          192.168.6.1   255.255.255.0     This Net

Network Objects:
   Client-Moat   207.244.x.0  255.255.255.248
   Internal-LAN  10.0.0.0     255.0.0.0
   DMZ1          192.168.5.0  255.255.255.0
   DMZ2          192.168.6.0  255.255.255.0

If possible, could you copy vossenjp@bigfoot.com on any replies?  I cannot
access the account I'm sending this from on-site, but I can telnet to my
other one.

Thanks in advance for your help!
JP

-----------------------------------------------------------------------
JP Vossen ( jvossen@alphanetcorp.com )
AlphaNet Solutions, Inc.
Alphanumeric Pager: 800-225-0256, PIN 598 0743



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] URI filtering
Next by Date: [FW1] FW-1 V4 logs
Prev by thread: [FW1] Gui Client on Windows NT 4
Next by thread: [FW1] FW-1 V4 logs
Index(es):
- Date
- Thread