FireWall-1 FAQ: How to define Anti-Spoofing
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
When I attempt to install my security policy, I get the following error:
You are about to install security policy on a machine without limiting the valid addresses on its interfaces to protect from IP addresses spoofing. Are you sure?
My firewall has 3 network interfaces and I am a bit confused about the definitions given for Valid Addresses when using Spoof Track. Should I use this configuration for my firewall?
le0 This Net (connection to internet router) le1 Others (connection to DMZ) le2 Others (connection to router for internal 128.203)
le0 Others (connection to internet router) le1 This Net (connection to DMZ) le2 Open (connection to router for internal 169.254)
When you assign 'Valid Addresses': valid-addresses to an interface: 'ifn', you are making the following assertions:
- Only packets with source IP in 'valid-addresses' can come into 'ifn'.
- Only packets with destination IP in 'valid-addresses' can be routed out 'ifn'
For example, if valid address is 192.168.182.0 and interface is le0.
- packet with source IP address 192.168.182.4 can come into le0.
- packet with source IP address 192.168.1.8 cannot come into le0.
- packet with destination IP address 192.168.182.4 can come into le0.
- packet with destination IP address 10.0.0.4 can not come into le0.
What are the various Anti-Spoofing options? In 4.1 and earlier, your options are as follows:
- Any (the default)
- All addresses are considered valid on this interface. Note that IP Options checking is still performed in this mode (which is how a lot of packets are "spoofed" from the Internet).
- No Security Policy
- Do not enforce any security policy on this interface. Not only does this include anti-spoofing, but this includes your policy as well. Use with extreme caution!
- This Net
- Probably the most mis-understood of the options. What this specifically means is "the logical network this interface is on." Contrary to popular belief, there is no magic to this as it is defined by the interfaces IP address and netmask per the configuration screen. All other networks are not considered valid for that interface.
- A group of network objects (networks, hosts) that defined the "valid addresses" for this interface. Typically used where there are multiple networks reachable from this interface and/or when Network Address Translation is used. If a host reachable from this interface has a "translated" IP address, you will need to include the "translated" IP address in this interface's "valid addresses" setting.
- This is used on your interface facing your Internet connection. Specifically, it means "all IP address not specified on other FireWall interfaces as valid."
- Others +
- This allows you to specify IP addresses that appear on both your internal and external interfaces. This is usually needed when you are doing NAT in certain situations, running OSPF on both the internal and external interfaces, or running VRRP.
In NG, the options are much simpler:
- Similar to others above
- Internal, Not Defined
- No anti-spoofing will be performed on this interface.
- Internal, Network Defined by IP and Net Mask
- Same as "This-Net" above, but the name is more self-explanatory.
- Internal, Specific
- A group of network objects (networks, hosts) that defined the "valid addresses" for this interface.
Note that NG automatically takes into account multicast and the all-ones and all-zeros broadcast addresses, so they need not be included in your anti-spoofing definitions.
So in your example above, you will need to first define a network object that will identify network 10.203.0.0. Let's call it 'network-10.203'. Then
le0 Others (connection to internet router) le1 This Net (connection to DMZ) le2 network-10.203 (connection to router for internal 10.203)
What if I have things that can appear on all interfaces (e.g. the all-ones or all-zeros broadcast)?
You will need to add the appropriate items in the anti-spoof group for all interfaces. For the "Others" interface, you will need to create a group and use "Others+" and reference that group.
What About NAT?
When NAT is involved, you need to make sure any destination static translations appear in the appropriate interface's anti-spoofing configuration in 4.1 and earlier versions. Since NAT can occur before routing in NG if "Perform Destination Static Translation on Client Side" is enabled in the Global Properties, you do not need to worry about including NAT addresses in your anti-spoofing configuration. For more information, see Accepted, then Rejected on Rule 0?