[FW-1] anti-spoofing activity

Mon, 19 Nov 2001 22:40:57 -0800 

hi, there

need some help.

can anyone tell me about unreasonale activity of the anti-spoofing
configuration of FW-1 v.4.1 SP5

i have developed the firewall environment with StoneBeat FullCluster
v.2.0 on sparc solaris 7, and the environment is briefly descibed below

                                ____Test Machine A
                                |
---------------------------------------------------
        |                       |
  <if#1>|______   external _____|<if#2>
   |FW-1/SBFC_1|-----------|FW-1/SBFC_2|
  <if#3>|         internal      |<if#4>
        |                       |
---------------------------------------------------
# if=interface

the problem is anti-spoofing rule (rule 0) drops
ping from test machine A to "FW-1/SBFC_1" 's internal
network interface.

ping to both interface of "FW-1/SBFC_2" is no problem,
they have same policy, though.

FW-1 mgmt module is on "FW-1/SBFC_1" for use of both FW-1
as the same rule base.

i made sure the rule base syncronization of both FW

[Policy Tab]
the policy is exactly correct "accept echo-request" from
machine A to both interfaces of the two FWs, and "accept
echo-reply" from both interfaces of the two FWs to Test
Machine A

[NAT]
no NAT rule is used.

[Property]
# access list tab
"icmp accepted"

# implied rule tab
"accept icmp" check box is denied.(unchecked)

[anti spoofing]
anti-spoofing policy of both "if#3" and "if#4" was
"this net".

Here is the issue about ping result from machine A

--ping to "if#3," which is another side of interface
  "machine FW-1/SBFC_1," was always failed.

--ping to "if#4," which is another side of interface
  "machine FW-1/SBFC_2," was always succeeded.

also, pings to the cluster IP address of both(front and back) side
were always succeeded.

in other words, ping to only "FW-1/SBFC_1"'s internal interface
is always failed, same policy on both gateways, though.

actually, a couple of servers are behind the FWs, and ping to
them was all succeeded.

Then, i took off the anti-spoofing rule back to "any"
on the "FW-1/SBFC_1"'s internal interface, and the ping
for it was succeeded.

now, i have no idea about how to explain this problem for my
client.

does anyone tell me how come this error occurs, and some
solutions for it, please ?

Thanks in advance

LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
Keigo Hanaoka <[EMAIL PROTECTED]>
Infrastructure Development Group
Network Solution Div./System Integration Dept
LAC Co.,Ltd. <http://www.lac.co.jp>
<http://www.lac.co.jp/security/english/index.html>
Phone +81-3-5531-0394/Fax +81-3-5531-0395
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Reply via email to