Ok, I understand. I'm going to probe it and I will tell you what and how have I done
it.
Thank you very much ;)
>>> Carl E. Mankinen <[EMAIL PROTECTED]> 24/08/00 15:35 >>>
I just told you how.
You can't specify interfaces like you do in ipchains, because it does not
look at
the actual interface when making ANY decisions. It will check packets that
arrive
at a given interface for ip address spoofing depending on your settings, but
that
is not really a "rule".
Packets are not destined or sourced from the firewalls interfaces (IP
addresses),
so you really should have a rule like SRC=ANY DEST=FW1 ACTION=DROP to
stealth the firewall, and the FW1 object will cover all it's interfaces.
Using the IP address of any interface on the firewall is rather pointless.
Why would the packets be destined for the firewall? makes no sense.
If you want a rule to only apply to a given interface, then you have to
cleverly
define source and destination to create that effect, but like I said, this
will not work
as expected if you have overlapping address ranges across the interfaces.
Generally, you would probably have networks that could easily be combined
with
the NEGATE modifier to produce the effect you want.
What are you trying to accomplish?
----- Original Message -----
From: Luis Angel Fernandez Escabias <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 24, 2000 9:18 AM
Subject: Re: [FW1] Apply rule to an interface
Sure...
Well, I'll start saying that I have just arrived to firewall-1 this week,
and that I came from ipchains with Linux ;)
For example, when I configured any firewall, I always defined some rules
like these:
EXTERNAL_INTERFACE=eth2
BROADCAST_SRC=0.0.0.0
BROADCAST_DEST=255.255.255.255
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
Look that I can define rules for the output and input chains of each
interface, I think that this is very powerfull, I need know how to do this
in firewall-1.
This four rules are applied only to the external interface; the two first
for the input chain and the two last for the output chain. In this way I was
able to crontrol the broadcast packets that arrive to the external
interface, and I could specified what to to with the incoming and the
outgoing packets. I think this is a very good way to control a very specific
traffic at the diferents interfaces of a machine.
I think that in Firewall-1 this is posible too, but I don't know how...
Anybody can translate me this rules from ipchains to firewall-1? It will be
great for me because I would see how this firewall works.
Thanks a lot.
>>> Carl E. Mankinen <[EMAIL PROTECTED]> 24/08/00 14:47 >>>
Rules aren't specified on the basis of the Firewall interface.
As a matter of a fact, it's best to have all the IP address of the firewall
stealthed
so that any packet destined for the firewall itself is dropped.
So rules are based on source address, destination address and service type.
You couldn't specify a rule to allow ANY source going to ANY destination
only
on one interface. Usually you would be using different subnets on each
interface
so that proper routing could occur anyway...
----- Original Message -----
From: James Edwards <[EMAIL PROTECTED]>
To: 'Luis Angel Fernandez Escabias' <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, August 24, 2000 8:01 AM
Subject: RE: [FW1] Apply rule to an interface
>
> Unless I am seriously mistaken, each interface has a seperate IP address
> and, at least in my setup, is specified pretty much as a seperate machine.
> What you want to do should be very simple. Just set each interface/IP
> address as a unique workstation and then you can use that to specify your
> rules.
>
> Jim Edwards
> Systems Manager
> Texas Secretary of State
>
>
> -----Original Message-----
> From: Luis Angel Fernandez Escabias [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 24, 2000 2:40 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Apply rule to an interface
>
>
>
> Hi...
>
> I want to define some rules to only the external interface of my firewall,
> can I do it with the GUI client?
>
> For example, with ipchains, I can define a rule to a single interface:
>
> ipchains -A output -i eth1 -s $CLASS_A -j DENY -l
>
> That rule is only applied to the output chain of the eth1 interface. I
want
> make this with firewall-1, but I dont see how in the GUI client. Can
anybody
> help me?
> Thanks a lot.
>
>
>
>
============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
