Re: [FW1] anti spoofing: changed in v4.1???

Tue, 11 Jul 2000 00:04:59 -0700 


Check your properties in the 4.1 SP1 Rule Base Editor.
Is the "Apply Gateway Rules to Interface Direction" set to Eitherbound?

What you describe is the comparison of the packet to the Valid Addresses
defined on the exiting interface. I would suspect that this particular
network
connection is being handled by FWXT_DST_STATIC and that the valid,
external DST IP address in the packet header is being rejected by "rule 0".

If this is true, you need only to add this IP address to the Valid Addresses
on the exiting interface, which I suspect to be your internal interface.

See http://www.phoneboy.com/fw1/faq/0044.html for more info on rule 0.

--- Jerald Josephs


----- Original Message -----
From: "Howard Tencer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 10, 2000 1:27 PM
Subject: [FW1] anti spoofing: changed in v4.1???


>
> I've upgraded my firewall from v4.0 sp5 to v4.1 sp1, and since
> implementation, my anti-spoofing as set up for v4.0 denys access to my
> dmz, both to and from.
> Has there been any change in the way fw1 views antispoofing rules?
>
> The one thing I"ve noticed, is that in the logs, an access attempt to the
> dmz is first allowed by one of the policy rules (e.g. rule 22) but
> immediately after, the same access attempt is blocked by rule zero.
> According to the docs, anti-spoofing should block first, so it shouldn't
> even get to be accepted on the rule 22...
>
> Any ideas?
>
> --
> Howard Tencer, CCSE
> Networks and Security 150 York St., Suite 700
> Spectra Securities Software Toronto, ON.  M5H 3S5
> [EMAIL PROTECTED] (416) 368 7979
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to