Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

To: Greg Winkler <[email protected]>, [email protected]
Subject: Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
From: Scott Schindler <[email protected]>
Date: Thu, 30 Nov 2000 15:05:24 -0600
References: <OFDD0650F1.094B72CF-ON862569A7.006F4BFE@huntsman>
Sender: [email protected]

Too easy is bad.  We don't want easy security configurations. ;) (sarcasm
for those that do not possess it)

Yes you can get around this but the only way I know of other than
re-networking and re-subnetting your network is to use another RFC 1918
network.

Too many people think that using 10.x.x.x  with a classful "A" subnet mask
is a good idea for their environment.  You are not the first to have to deal
with these issues.

Simply using another network and mask is great if you can do it all through
DHCP over the weekend and at most change 10-15 non DHCP based servers, but
you will server yourself well using 192.168.x.0.

Just don't use a class "B" subnet mask with it or you will find yourself
here again later.  If you use the 172.16 (etc.) networks, you have a harder
time hanging yourself.

----- Original Message -----
From: "Greg Winkler" <[email protected]>
To: <[email protected]>
Sent: Thursday, November 30, 2000 2:32 PM
Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net


>
> We use a 10.x.x.x network internally per RFC 1918. Up until today I've
> used
> a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to all of
> my
> internal hosts. It has been very convenient to use this in my rules, for
> example "internal any http accept". I now have a need to "partition off"
> a
> class C subnet from that 10.x.x.x range, for example 10.250.1.x. This
> class
> C net will become a fourth leg on a firewall, that can no longer be
> considered part of my "internal" network.
>
> My issue is how do I define an object or objects that will let me
> differentiate in my rules between my internal 10.x.x.x net and this
> oddball
> 10.250.1.x net. Ideally I would have an object that included all of my
> 10.x.x.x networks EXCEPT for 10.250.1.x. I've puzzled myself trying to
> come
> up with a subnetting scheme and a network object to no avail. The idea
> of
> actually creating object for my literally hundreds of internal 10.x.x.x
> networks is unappealing to say the least.
>
> My other option is to grab one of the other RFC 1918 nets and use this
> for
> the fourth leg. But that would be TOO easy and I wanted to see if there
> might be a way to do it some other fashion.
>
> ------------------------------------------------------------------------
> ----------------
>
> Greg Winkler
> Systems Manager, IT&S
> Huntsman Corporation
> Internet Mail: [email protected]
> Voice:> Fax:>
>
>
>
> ========================================================================
> ========
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ========


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
  - From: "Greg Winkler" <[email protected]>

Prev by Date: Re: [FW1] Securemote issue
Next by Date: [FW1] Nokia VRRP vs. Checkpoint HA
Previous by thread: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
Next by thread: RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
Index(es):
- Date
- Thread