[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Stopping a spoof alert
The fact that it is working if you use "others" ; is that the source IP address
<blank> is not defined on any other anti-spoofing rules so it is allowed.
This is what checkpoint's web site says.
How to Configure Anti-Spoofing with DHCP Protocol?
|------+--------+---+----+----+----|
| Numbe| Date | NT| Uni| V | V |
| r | | | x | 2.1| 3.0|
|------+--------+---+----+----+----|
| 0270 | 22/01/9| | | - | |
| | 8 | | | | |
|------+--------+---+----+----+----|
FireWall-1 triggers the Anti-Spoofing, since it detects illegal addresses being
broadcasted when DHCP requests are coming from the workstations, trying to get
an IP address. This is seen by the FireWall as a spoof attempt.
As a solution, you can set up three Network Objects: One with the network, a
second (for workstations) with an address of 0.0.0.0, and a third (for
workstations) with an address of 255.255.255.255, then put them all in an
Anti-Spoofing group.
"Fredrik Palm" <frpa01@handelsbanken.se> on 08/31/99 02:27:19 AM
Please respond to "Fredrik Palm" <frpa01@handelsbanken.se>
To: Stuart Irving/Markham/IBM@IBMCA
cc: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Stopping a spoof alert
Hi,
Tnx for the tip but.. sorry, old news. I've already tried it and it still
doesn't make bootp requests get into the ruleset.
I don't agree that there's nothing you can do about it since the anti
spoofing is behaving differently depending upon if you use This net/
Specific or Others (I haven't tested Others + as I stated earlier).
If you use Others a bootp request will get into the ruleset. If you use
This net or Specific I still haven't found a way to get it into the
ruleset.
//Fredrik
> You are right that there is a bug but there is nothing you can do about it.
The
> way anti spoofing works is to check the source IP when the packet enters the
> interface and the destination IP when it leaves an interface. Since bootp and
> dhcp do not have an source IP address at the beginning stages there is nothing
> you can define that says NULL.
>
> Wait a minute..... if I remember right, do these protocols not put the IP
> address 0.0.0.0 as the source IP?? Try adding this to the anti-spoofing
rules.
>
>
> Hi there,
>
> I'm experiencing the exact same problem but on a x86 Solaris +
> FW-1 4.0 SP3 plattform. I called my vendor 4 months ago (I've had this
> problem all along 4.0), they logged it to Check Point but I haven't gotten
> a solution so far.
>
> The strange thing is that it hits rule 0 only if you use This net or
> Specific (I haven't tested Others + though). I will not hit rule 0 if you
> use Others.
>
> The anwser to your question on how to define the network objects to solve
> this is easy enough: you're not supposed to define network objects, you're
> supposed to define host objects. I found the information in the Managing
> FireWall-1 Using the OpenLook GUI manual on page 37. There is no
> mentioning of it in the Windows GUI manual.
>
> Anyway, it will not do you any good because it doesn't work, you still get
> the spoof alert messages. I've tried defining network objects with a 4x255
> mask, no difference.
>
> To me this is definitely a bug, not being able to get bootp past rule 0
> and into the ordinary ruleset under certain circumstances. I'm still
> waiting for Check Point to resolve.
>
> //Fredrik
>
>
> > Hello,
> >
> > I have FW-1 4.0 sp2 on NT 4.0 sp4. I set up anti-spoofing for all my
> interfaces
> > and set it to log. For my internal interface I selected the option 'This
> net'.
> > Now everytime a users machine boots up or tries to renew it's ip address (we
> are
> > using DHCP). The firewall logs an entry with a blank source address,
> > destination address of 255.255.255.255 with service of bootp. Apparently
dhcp
> > and bootp use the same port (didn't know that). Anyway I've been trying to
> find
> > a way to eliminate this while still loging any spoofing. I called up my
> > software support provider and they told me that I have to define a new
network
> > object called called 'All Zeros' and one called 'Broadcast'. I then but
these
> > two objects and the object defining my internal network into a group called
> > 'local'. Then for the anti-spoofing parameter instead of putting 'this net'
I
> > choose 'specific' and specify the 'local' group. Makes sense only they
didn't
> > tell me how to define the two network object 'All zeros' and 'Broadcast'.
> What
> > type of object is it, workstation, network, what? And what are the
settings?
> > Can anyone tell if this is even correct and how to define the these two
> objects?
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> >
> >
>
================================================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
>
================================================================================
>
>
>
> ----------------------------------------------------------
> Fredrik Palm Email: frpa01@handelsbanken.se
> Svenska Handelsbanken Phone: +46-8-7011789
> CDCK-I Fax: +46-8-7011624
> 106 70 Stockholm
> Sweden
>
>
>
================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
>
>
>
>
>
>
================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
----------------------------------------------------------
Fredrik Palm Email: frpa01@handelsbanken.se
Svenska Handelsbanken Phone: +46-8-7011789
CDCK-I Fax: +46-8-7011624
106 70 Stockholm
Sweden
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================