|
Posted by Greg Hennessy on September 1, 2006, 3:29 am
If you were Registered and logged in, you could reply and use other advanced thread options
wrote:
>> The 1st nat rule would would be something like
>>
>> dmz-nets dmz-nets any original original any
>
>That's a useful shortcut, thanks!
>
>How do you write the NAT rule in order to have Firewall-1's anti-spoofing
>features not complain about the packet when it arrives on a DMZ interface?
As long as you have client side NAT ticked in the global properties and
anti spoofing properly configured in the gateway's topology it will figure
it out.
>As soon as I turn on anti-spoofing on the DMZ interface, I see packets that
>comply with the ruleset succeed in the log and pass through the firewall to
>the DMZ interface. But then there is a second duplicated message in the
>log with a reject that complains the packet violates the anti-spoofing
>policy.
Sounds like you dont have it properly configured on every interface.
Getting the topology right is essential.
Recommend taking a trawl through the fw1 wizards mailing lists archive and
the forums on www.cpug.org for other useful information regarding starting
out with fw1.
greg
--
Müde lieg ich lieg in der Scheisse,
und niemand weiss, wie ich heisse.
Es gibt nur einen, der mich kennt,
und mich bei meinem Namen nennt.
| 
XML site map