NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] unknown established tcp packets...



If you follow Ilya's link to security portal, you will see a thread that
pretty much exactly describes what I am seeing. I suspect this is a problem
in SP2. (or perhaps some default is a bit too sensitive)

My TCP session timeout is quite high in my opinion, and I suspect that the
firewall is much more sensitive to delays in TCP sessions now. Seem's like
enough people are seeing the same symptoms as I am.

I don't think it's part of any kind of scan because I have IDS running and
it's pretty obvious when people are even using an nmap stealth scan. It
looks more like parts of valid conversations based on the src/dest and
services.

I am about to heat up an Internet connection via this firewall for a fortune
500 company and there will be something around 600 users actually using this
firewall. I *really* don't want to start seeing sessions getting dropped all
over the place.

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Craig Skelton
Sent: Saturday, September 30, 2000 9:53 PM
To: Carl E. Mankinen; Cristian Nicolae
Cc: [email protected]
Subject: RE: [FW1] unknown established tcp packets...



Send us a sample.. probably a scan of sorts. Maybe some os fingerprinting.
High numbers over long periods would definately concern me. Valid source
address? NT firewall?

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Carl
> E. Mankinen
> Sent: Saturday, September 30, 2000 2:19 PM
> To: Cristian Nicolae
> Cc: [email protected]
> Subject: RE: [FW1] unknown established tcp packets...
>
>
>
> Yeah, I know that these are because there is no state table entry for the
> TCP session,
> and I know how to make these dropped packet messages go into the
> bit bucket,
> but that
> was not really what I was asking....
>
> I was more interested if having a high number of these is normal or a
> symptom of a problem.
>
>
> -----Original Message-----
> From: root [mailto:root]On Behalf Of Cristian Nicolae
> Sent: Saturday, September 30, 2000 5:22 PM
> To: Carl E. Mankinen
> Cc: [email protected]
> Subject: Re: [FW1] unknown established tcp packets...
>
>
> Carl,
> Have a look at
> http://www.phoneboy.com/fw1/faq/0408.html on this problem
> Cristian
>
> "Carl E. Mankinen" wrote:
> >
> > I have been noticing since I upgraded to 4.1 SP2 that my logs
> are getting
> a lot more of these rule 0 drops than I had ever seen
> > before.
> > >From what I understand, this happens because the firewall is
> receiving a
> TCP packet with the established bit set and it has no
> > session information in it's state tables to verify that this is a valid
> conversation.
> >
> > Is this something that just happens a lot with TCP conversations and
> nothing to be concerned about, or is this a symptom of some
> > problem which I should pay closer attention too? The packets which are
> causing the rule 0 drop are invariably arriving at the
> > outside interface.
> >
> > I know I can prevent this from being logged, but I would rather
> make sure
> that I am not covering up a problem before I do this. My
> > interfaces on all my routers look really clean, and the settings on the
> firewall properties for TCP session timeouts is set for 30
> > minuten.
> >
> > Could this be a problem with my fw dropping it's state table entries?
> >
> >
> ==================================================================
> ==========
> ====
> >      To unsubscribe from this mailing list, please see the
> instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ==================================================================
> ==========
> ====
>
>
>
> ==================================================================
> ==============
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
>



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.