[FW-1] Address Spoofing problems with R55

Subject:	[FW-1] Address Spoofing problems with R55
From:	Chris Cameron <Chris.Cameron AT NETTHRUPUT DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 26 May 2004 08:41:40 -0600

Upgraded from FP2 to R55, moved the rules over with upgrade_import/export. All
that worked fine.

However, in my SmartTracker I'm now seeing a number of packets being dropped
due to "Address Spoofing". Most of the traffic being dropped is legitmate
traffic either trying to do DNS queries, or get to our webserver. The IP
addresess being dropped are all real, routable IPs.

Our firewall does static NAT for a number of servers behind it. It also
maintains a VPN connection to our internal network at the office, which uses
non-routable address space.

hme0 is external, hme1 is internal.

Some of the dropped packets (sanitized), Firewall-1 IP 216.210.2.1, static NAT
IPs start with 216.210.2.x, Internal IPs with 10.0.x.x, the rest are remote
clients (connecting)):

Number:         780
Date:                   26May2004
Time:                   8:12:37
Product:        VPN-1 & FireWall-1
Interface:      hme1
Origin:                 fw1host (216.210.2.1)
Type:                   Log
Action:                 Drop
Service:        https (443)
Source:         remote-client.com (64.82.12.37)
Destination:    staticnatweb (216.210.2.10)
Protocol:       tcp
Source Port:    39532
Information:    message_info: Address spoofing


Number:         781
Date:                   26May2004
Time:                   8:12:45
Product:        VPN-1 & FireWall-1
Interface:      hme1
Origin:                 fw1host (216.210.2.1)
Type:                   Log
Action:                 Drop
Service:        https (443)
Source:         10.0.121.114
Destination:    internalweb (10.0.120.10)
Protocol:       tcp
Source Port:    3816
Information:    message_info: Address spoofing

Number:         764
Date:                   26May2004
Time:                   8:11:47
Product:        VPN-1 & FireWall-1
Interface:      hme1
Origin:                 fw1host (216.210.2.1)
Type:                   Log
Action:                 Drop
Service:        https (443)
Source:         remote-client2.com (214.201.34.2)
Destination:    staticnatweb (216.210.2.10)
Protocol:       tcp
Source Port:    18312
Information:    message_info: Address spoofing



Even with a -lot- of these types of dropped packets, everything appears to
work fine. Clients are all able to connect (even when they have dropped
packets logged).

Any ideas? It isn't strictly internal (VPN) IPs that are getting logged as
spoofed, and this is what confuses me.


Thanks,
Chris

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Address Spoofing problems with R55, Chris Cameron <= Re: [FW-1] Address Spoofing problems with R55, Reinhard Stich [FW-1] FloodGate displaying "Not Responding" after upgrading to AI R55, Fernando Hagelsieb

Previous by Date:	Re: [FW-1] exchange 2003 best practices, Davis, Nathaniel
Next by Date:	Re: [FW-1] exchange 2003 best practices, Wayne Ho
Previous by Thread:	[FW-1] S/Key, Rutherford, Robert
Next by Thread:	Re: [FW-1] Address Spoofing problems with R55, Reinhard Stich
Indexes:	[Date] [Thread] [Top] [All Lists]