Spoof Protection With Firewall-1

I need help understanding a problem with Spoof Detection on Firewall-1 4.0
that appears to be rendering it worthless.

On an internal network we have a Firewall-1 4.0 box that has 12 dmz
interfaces attached to it, each of them Class C networks that do not
overlap. I tried to put spoof detection into effect on the firewall as
follows:

1) Edited the Firewall-1 network object

2) Selected each Interfaces tab and hit Edit button

3) For every interface except external, I specified valid addresses as "This
Net"

4) For the external interface, I specified "Others"

As soon as I install that policy, I see packets that should be allowed
through the firewall get an accept on the incoming interface, and then get a
reject on rule 0 as soon as they are passed to the interface with the server
they are trying to reach. I researched this online and got this
explanation:

A "reject" on Rule 0 typically means that an outgoing packet
(one
that has been accepted by your security policy and routed by the
OS) is violating your anti-spoof rules because the packet is
being
routed out the wrong interface. If your Network Address
Translation is misconfigured, you will often have problems with
Anti-Spoofing.

This already concerns me a lot, because it implies that Firewall-1 has no
way to distinguish a packet that has already passed through its security
rules and NAT, from a packet that is incoming on an interface.

Can someone please give me an example of a valid NAT configuration that
would allow spoof detection to work correctly, without causing the packets
to be rejected on rule 0 when they get to the destination interface?

Further confusing me here, packets that are not having destination IPs
modified by NAT are not triggering spoof detection. I don't see how the
spoof detection can trigger when the packet gets to the dmz interface after
being changed by NAT, but not triggered when there is no NAT. In both
cases if the packet's source is a different network, then the Source IP
won't be the same as the Valid Addresses that correspond to the Firewall-1
"This Net" spoof detection setting.

--
Will

Re: Spoof Protection With Firewall-1

Will wrote:
: I need help understanding a problem with Spoof Detection on Firewall-1 4.0
: that appears to be rendering it worthless.

Will,
Wow.. 4.0 is indeed a very very old version. I guess version 4.1 was
released 6 years ago. Or was it 7? Anyhow..

The anti spoofing depends on your config. If you're having manual NAT
rules you need to specify the external ip addresses on the other side of
the network as well. This because the packets are routed before they are
NAT'ed.

Lars

Re: Spoof Protection With Firewall-1

wrote in message
news:ecrhkm$4cs$1@bork.aitel.hist.no...
> The anti spoofing depends on your config. If you're having manual NAT
> rules you need to specify the external ip addresses on the other side of
> the network as well. This because the packets are routed before they are
> NAT'ed.

Can you give an example of this that would work with the spoof detection?

In our NAT rule, we only change the destination address to agree with
addresses in the DMZ networks. We don't modify the source address which is
coming on the external interface. I could certainly modify the external
source address to match one on the local DMZ, but that would be a hysterical
security flaw if I had to do that, in effect hiding external source IPs from
my own internal applications! I just don't see how to do the NAT to make
Firewall-1's spoof detection happy.

I would be glad to see one example that works for any configuration where
NAT rules are use to convert the destination IP that the external host uses
into an IP that is used on a local DMZ (e.g., 10.x.x.x, 192.168.x.x,
172.x.x.x).

--
Will

Re: Spoof Protection With Firewall-1

In article you wrote:

: Can you give an example of this that would work with the spoof
detection?

Will,
The easiest thing is to use automatic NATing. By that I'm meaning that
when defining a host you give it a name+private ip and in
the same object settings under NAT you can give it a public ip address.

This will make the spoof detection happy. If you OTOH don't specify the
NAT address on the object, but rather choose to define the NATing by
manually insert a NAT rule, then the spoof detection will kill this
trafic.

This because (as I said in the previous post) the rule base is
enforced after the packet has been routed internally in the kernel. The
workaround if you must have a manual NAT rule is to define the external
ip address of this object and assign it to a group where also the
private network is assigned and use this group in the topology for this
nic.

Lars

Re: Spoof Protection With Firewall-1

wrote in message
news:eeelj1$ool$1@bork.aitel.hist.no...
> The easiest thing is to use automatic NATing. By that I'm meaning that
> when defining a host you give it a name+private ip and in
> the same object settings under NAT you can give it a public ip address.
>
> This will make the spoof detection happy. If you OTOH don't specify the
> NAT address on the object, but rather choose to define the NATing by
> manually insert a NAT rule, then the spoof detection will kill this
> trafic.
>
> This because (as I said in the previous post) the rule base is
> enforced after the packet has been routed internally in the kernel. The
> workaround if you must have a manual NAT rule is to define the external
> ip address of this object and assign it to a group where also the
> private network is assigned and use this group in the topology for this
> nic.

Now it is very clear. Thanks!

--
Will