Re: Spoof Protection With Firewall-1



In article <NNSdnaTlt8tz82_ZnZ2dnUVZ_vmdnZ2d@xxxxxxxxxxxx> you wrote:

: Can you give an example of this that would work with the spoof
detection?

Will,
The easiest thing is to use automatic NATing. By that I'm meaning that
when defining a host you give it a name+private ip and in
the same object settings under NAT you can give it a public ip address.

This will make the spoof detection happy. If you OTOH don't specify the
NAT address on the object, but rather choose to define the NATing by
manually insert a NAT rule, then the spoof detection will kill this
trafic.

This because (as I said in the previous post) the rule base is
enforced after the packet has been routed internally in the kernel. The
workaround if you must have a manual NAT rule is to define the external
ip address of this object and assign it to a group where also the
private network is assigned and use this group in the topology for this
nic.

Lars

.