Hi everyone ...
I have a rather strange question concerning the internals of Checkpoint's
Firewall-1. First I want to describe you a specific setup :
Internet<->Cisco1<->Sun/FW-1<->Switch<->Cisco2<-->int.net
^
|
v
Server
Due to a shortage on IP addresses at a provider, I was forced to use a
very small subnet of IP addresses (netmask 255.255.255.248) with all the
machines. The addresses are like this (addresses changed of course):
Cisco1: 198.49.12.22 and unnumbered ISDN interface
Sun/FW1: 198.49.12.17 and 198.49.12.18
Switch: 198.49.12.19
Server: 198.49.12.20
Cisco2: 198.49.12.21 and internal address
With the right mixture of Host-, Network- and default-routes you get this
thing to work. Cisco1 has a host route to 198.49.12.17 and a network route
for 198.49.12.16 to 198.49.12.17. The Sun has a host route for
198.49.12.22 to 198.49.12.17 and a network route for 198.49.12.16 to
198.49.12.18. All the other machines have default routes to
198.49.12.18 and a network route to the internal network.
My question is, wether and how the FW-1 software is able to get it right
to deny spoofed packets on the exterior interface claiming to
be one of the internal hosts (esp. the server) or if this setup means any
severe security risk.
Regards ... Frank
--
------------------------------------------------------------------------------
Frank Kargl (aka Comram) Computing Center, University of Ulm, Germany
Email:frank .
kargl @
rz .
uni-ulm .
de http://www.uni-ulm.de/kargl/ (->PGP-Key)
Tel.(Uni): 0731-502-2509 Tel.(Privat): 0731-553972 Eplus: 0177-5539510
------------------------------------------------------------------------------
Logic, logic, logic...Logic is the beginning of wisdom, Valeris, not the end
[Spock --- Star Trek VI: "The Undiscovered Country"]
Follow-Ups:
|
|
